The document provides guidance on migrating configuration data from Cisco Secure Access Control System (ACS) Releases 3.x and 4.x to ACS Release 5.6. It describes the differences between the older and new versions, outlines the migration process, and details how to use the ACS 5.6 Migration Utility to migrate users, network devices, policies and other elements from ACS 4.x to 5.6. Administrators can use the utility to analyze, export, import and validate configuration data during the migration.
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
This document provides an overview of IBM i security best practices. It discusses the importance of performing regular security assessments, staying current on fixes, implementing virus protection, using appropriate system security levels and values, enabling security auditing, restricting privileged users and service tools, implementing physical security, and using additional layers of security like resource security and row/column access control in Db2 tables. The goal is to provide a layered security approach to protect the IBM i system and data from both internal and external threats.
Endpoint Detection and Response for DummiesLiberteks
This document provides an introduction to the concepts of endpoint detection and response (EDR). It defines an endpoint broadly as any connected device used to access an organization's network and data. As new types of devices connect, the definition of an endpoint is expanding beyond traditional computers and mobile devices to also include IoT devices, servers, and industrial systems. The document outlines how EDR can help organizations securely manage this growing variety of endpoints and detect and respond to security threats through automated monitoring and response capabilities. It provides an overview of the topics that will be covered in the book.
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
Empower Your Security Practitioners with Elastic SIEMElasticsearch
Learn how Elastic SIEM’s latest capabilities enable interactive exploration and automated analysis — all at the speed and scale your security practitioners need to defend your organization.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/empower-your-security-practitioners-with-elastic-siem
This document discusses how SonicWall's Deep Packet Inspection over SSL (DPI-SSL) technology helps customers defeat encrypted threats. It explains that most websites and proxy/bypass apps are now encrypted, and attacks are being delivered over encrypted channels. SonicWall's DPI-SSL works by intercepting, decrypting, and inspecting encrypted traffic for threats, then re-encrypting safe traffic before sending it to the client. This allows the firewall to see threats that were previously hidden in encrypted traffic. The document also provides details on SonicWall's firewall product lineups and their DPI-SSL throughput performance and scalability.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
This document provides an overview of IBM i security best practices. It discusses the importance of performing regular security assessments, staying current on fixes, implementing virus protection, using appropriate system security levels and values, enabling security auditing, restricting privileged users and service tools, implementing physical security, and using additional layers of security like resource security and row/column access control in Db2 tables. The goal is to provide a layered security approach to protect the IBM i system and data from both internal and external threats.
Endpoint Detection and Response for DummiesLiberteks
This document provides an introduction to the concepts of endpoint detection and response (EDR). It defines an endpoint broadly as any connected device used to access an organization's network and data. As new types of devices connect, the definition of an endpoint is expanding beyond traditional computers and mobile devices to also include IoT devices, servers, and industrial systems. The document outlines how EDR can help organizations securely manage this growing variety of endpoints and detect and respond to security threats through automated monitoring and response capabilities. It provides an overview of the topics that will be covered in the book.
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
Empower Your Security Practitioners with Elastic SIEMElasticsearch
Learn how Elastic SIEM’s latest capabilities enable interactive exploration and automated analysis — all at the speed and scale your security practitioners need to defend your organization.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/empower-your-security-practitioners-with-elastic-siem
This document discusses how SonicWall's Deep Packet Inspection over SSL (DPI-SSL) technology helps customers defeat encrypted threats. It explains that most websites and proxy/bypass apps are now encrypted, and attacks are being delivered over encrypted channels. SonicWall's DPI-SSL works by intercepting, decrypting, and inspecting encrypted traffic for threats, then re-encrypting safe traffic before sending it to the client. This allows the firewall to see threats that were previously hidden in encrypted traffic. The document also provides details on SonicWall's firewall product lineups and their DPI-SSL throughput performance and scalability.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
This document discusses continuous integration (CI) and continuous deployment (CD) achieved through MuleSoft. It provides an overview of DevOps tools and principles like CI, CD, and automation. The document outlines the benefits of CI/CD like faster delivery and recovery. It presents MuleSoft's high-level architecture and how it supports CI/CD. It also discusses APIs, system integration, and the benefits of applying CI/CD patterns with MuleSoft like increased code coverage and deploying code faster to production with less bugs.
Volkswagen | ECU Software Development with codeBeamer ALM: IT AspectsIntland Software GmbH
This talk was presented by Dr. Stefan Bussmann (Volkwagen AG) at Intland Connect: Annual User Conference 2020 on 22 Oct 2020. To learn more, visit: https://intland.com/intland-connect-annual-user-conference-2020/
The document discusses Akamai's product strategy and the challenges of a hyperconnected world with increasing internet traffic, cloud adoption, and mobile usage. It outlines Akamai's core products including web performance, media delivery, and web security and emerging areas like hybrid cloud. It also discusses the state of the media delivery, web performance, and security businesses and drivers for future growth. Key themes are using Akamai's global edge computing platform and intelligent routing to optimize performance and security as more applications and content move to the cloud and are accessed on mobile devices.
The document outlines the steps in an integrated selling process and provides resources at each step. It includes sections for prospecting, qualification, proposals, agreements, and closing. Under resources, it lists internal wireline resources and external tools for customer intelligence and diving deep into topics.
In this session, we’ll discuss the benefits of moving from monolithic to micro-services application architectures, and examine where micro-services can be used. We’ll share common transition strategies and relate them to the specifics of e-commerce and retail workloads, using customer examples. You’ll learn how to build micro-services using AWS services, and get a better understanding of the role of data storage, API endpoints and service discovery. Plus, you can learn from the real-life experience of Digital Goodie, an online retailing platform for connected commerce.
CIS 2017 - So you want to use standards to secure your APIs?Bertrand Carlier
The document discusses OAuth and identity management standards for securing APIs. It provides an overview of OAuth concepts like authorization codes, refresh tokens, and OpenID Connect. It also discusses current challenges around pairing devices, protecting tokens from hijacking, sharing access and consent, and transmitting identity. The document emphasizes that OAuth is a rich ecosystem and to choose the right specifications, integrate them carefully, and avoid a flawed security architecture or false sense of security.
This document discusses DevOps training provided by QA. It begins by outlining some of the main benefits of DevOps such as faster software delivery, better application quality, and stronger competitive advantages. It then discusses that DevOps requires cultural change and provides training for roles across the software development process. QA offers a variety of courses focused on DevOps tools, strategies, and supporting Agile skills. Their training is delivered by experienced instructors and includes hands-on learning. QA also has partnerships with vendors to provide relevant skills training. A range of solutions are available depending on an organization's specific DevOps needs and goals.
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngPhilip Young
The document discusses gaps in mainframe security and how hackers are increasingly targeting mainframes. It notes that while mainframes are seen as inherently secure, they are actually vulnerable in several ways. The presentation will explore current mainframe hacking techniques using tools like Nmap, how flat network architectures have increased risk, and steps organizations can take to optimize mainframe security beyond just compliance, such as vulnerability scanning and penetration testing.
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses:
1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic.
2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples.
3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.
This document discusses the principles of zero trust architecture, which aims to eliminate trust from IT systems by verifying all users and devices before granting limited, least-privilege access. It outlines the core elements of zero trust, including verifying the user, verifying their device, and limiting access and privileges. The document also notes that implementing zero trust will require monitoring the environment closely, architecting microperimeters, mapping acceptable data routes, and identifying sensitive data. Organizations may face challenges from technical debt, legacy systems, and other issues requiring new technologies or wrappers.
Présentation utilisée lors de la journée de préconférence complète du MWCP 19 animée par les MVP Guillaume Mathieu et Sébastien Paulet sur le sujet de la sécurité sur M365 dans les locaux Microsoft France.
Quelles sont les attaques que peuvent subir les comptes O365/M365? Comment s'en prémunir?
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
The document discusses various methods for assessing security controls and testing systems, including penetration testing, social engineering, vulnerability testing, security audits, and software testing methods. It covers topics like penetration testing tools and methodology, assuring data confidentiality, different types of audits and reviews, and levels of software testing from unit to acceptance. Static and dynamic analysis are introduced as approaches to software security testing.
The document discusses advanced persistent threats (APTs), which are sophisticated, long-term cyber attacks targeting specific organizations or governments. APTs aim to stealthily gain unauthorized access to networks to steal data over an extended period. They are usually carried out by nation-state actors or sophisticated cybercriminal groups. Defending against APTs requires a strategic, intelligence-driven approach combining technologies like endpoint detection and response with human analysis to identify subtle behavioral anomalies indicating an intrusion.
The slides give a short overview about the new connectors developed by Emerasoft: the Polarion - Enterprise Architect connector; the Polarion - Jenkins/Hudson connector; the Polarion monitoring tool FARO.
Security operations centres are made up of several roles and each role benefits from a person with specific skills and competencies. This presentation was presented at Napier University on the 13/11/2019 at their 'Cyber Breakfast'.
The document discusses role and user management in IT360 Enterprise and Professional Editions. It defines roles as controlling authorization to modules while users control authentication to the application. There are 11 predefined roles and 8 users in IT360 with varying levels of access. A role-user matrix shows which users are associated with which roles and a role-module matrix maps roles to the read/write privileges they provide for each module. The presentation explains how to create new custom roles and users and associate them.
This document discusses software audits, including an overview of the software audit process and its significance. A software audit is an independent examination of a software product, process, or set of processes to assess compliance. It describes the typical participants in an audit, such as the initiator, lead auditor, and audited organization. The document also covers the types of audits, purposes of audits, principles of audits, steps involved, and top audit software products.
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailogjuljo
Full day workshop about Microservices Architectures, from the basis to advanced topics like Service Discovery, Load Balancing, Fault Tolerance and Centralized Logging.
Many technologies are involved, like Spring Cloud Netflix, Docker, Cloud Foundry and ELK.
A separate deck describes all the lab exercises.
This document provides instructions for configuring Cisco Secure Access Control Server (ACS), including deploying ACS servers, configuring new features in ACS 4.2, using RDBMS synchronization, setting password policies, configuring agentless host support, PEAP/EAP-TLS authentication, syslog logging, and network access control. It describes factors to consider for deployment and provides step-by-step examples for common configuration scenarios. The document is intended for security administrators who configure and maintain network and application security using ACS.
This document provides information about configuring a Cisco Catalyst 2960 switch, including:
- Details on the Catalyst 2960 switch software configuration guide for Cisco IOS Release 12.2(50)SE.
- Instructions and guidelines for configuring features such as VLANs, security, QoS, monitoring, and more.
- Examples of network configuration designs using Catalyst 2960 switches.
- Information on default settings, commands, and other technical aspects of switch configuration.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
This document discusses continuous integration (CI) and continuous deployment (CD) achieved through MuleSoft. It provides an overview of DevOps tools and principles like CI, CD, and automation. The document outlines the benefits of CI/CD like faster delivery and recovery. It presents MuleSoft's high-level architecture and how it supports CI/CD. It also discusses APIs, system integration, and the benefits of applying CI/CD patterns with MuleSoft like increased code coverage and deploying code faster to production with less bugs.
Volkswagen | ECU Software Development with codeBeamer ALM: IT AspectsIntland Software GmbH
This talk was presented by Dr. Stefan Bussmann (Volkwagen AG) at Intland Connect: Annual User Conference 2020 on 22 Oct 2020. To learn more, visit: https://intland.com/intland-connect-annual-user-conference-2020/
The document discusses Akamai's product strategy and the challenges of a hyperconnected world with increasing internet traffic, cloud adoption, and mobile usage. It outlines Akamai's core products including web performance, media delivery, and web security and emerging areas like hybrid cloud. It also discusses the state of the media delivery, web performance, and security businesses and drivers for future growth. Key themes are using Akamai's global edge computing platform and intelligent routing to optimize performance and security as more applications and content move to the cloud and are accessed on mobile devices.
The document outlines the steps in an integrated selling process and provides resources at each step. It includes sections for prospecting, qualification, proposals, agreements, and closing. Under resources, it lists internal wireline resources and external tools for customer intelligence and diving deep into topics.
In this session, we’ll discuss the benefits of moving from monolithic to micro-services application architectures, and examine where micro-services can be used. We’ll share common transition strategies and relate them to the specifics of e-commerce and retail workloads, using customer examples. You’ll learn how to build micro-services using AWS services, and get a better understanding of the role of data storage, API endpoints and service discovery. Plus, you can learn from the real-life experience of Digital Goodie, an online retailing platform for connected commerce.
CIS 2017 - So you want to use standards to secure your APIs?Bertrand Carlier
The document discusses OAuth and identity management standards for securing APIs. It provides an overview of OAuth concepts like authorization codes, refresh tokens, and OpenID Connect. It also discusses current challenges around pairing devices, protecting tokens from hijacking, sharing access and consent, and transmitting identity. The document emphasizes that OAuth is a rich ecosystem and to choose the right specifications, integrate them carefully, and avoid a flawed security architecture or false sense of security.
This document discusses DevOps training provided by QA. It begins by outlining some of the main benefits of DevOps such as faster software delivery, better application quality, and stronger competitive advantages. It then discusses that DevOps requires cultural change and provides training for roles across the software development process. QA offers a variety of courses focused on DevOps tools, strategies, and supporting Agile skills. Their training is delivered by experienced instructors and includes hands-on learning. QA also has partnerships with vendors to provide relevant skills training. A range of solutions are available depending on an organization's specific DevOps needs and goals.
CA World - mft1755 - gaps in your defense hacking the mainframe - philip youngPhilip Young
The document discusses gaps in mainframe security and how hackers are increasingly targeting mainframes. It notes that while mainframes are seen as inherently secure, they are actually vulnerable in several ways. The presentation will explore current mainframe hacking techniques using tools like Nmap, how flat network architectures have increased risk, and steps organizations can take to optimize mainframe security beyond just compliance, such as vulnerability scanning and penetration testing.
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses:
1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic.
2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples.
3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.
This document discusses the principles of zero trust architecture, which aims to eliminate trust from IT systems by verifying all users and devices before granting limited, least-privilege access. It outlines the core elements of zero trust, including verifying the user, verifying their device, and limiting access and privileges. The document also notes that implementing zero trust will require monitoring the environment closely, architecting microperimeters, mapping acceptable data routes, and identifying sensitive data. Organizations may face challenges from technical debt, legacy systems, and other issues requiring new technologies or wrappers.
Présentation utilisée lors de la journée de préconférence complète du MWCP 19 animée par les MVP Guillaume Mathieu et Sébastien Paulet sur le sujet de la sécurité sur M365 dans les locaux Microsoft France.
Quelles sont les attaques que peuvent subir les comptes O365/M365? Comment s'en prémunir?
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
The document discusses various methods for assessing security controls and testing systems, including penetration testing, social engineering, vulnerability testing, security audits, and software testing methods. It covers topics like penetration testing tools and methodology, assuring data confidentiality, different types of audits and reviews, and levels of software testing from unit to acceptance. Static and dynamic analysis are introduced as approaches to software security testing.
The document discusses advanced persistent threats (APTs), which are sophisticated, long-term cyber attacks targeting specific organizations or governments. APTs aim to stealthily gain unauthorized access to networks to steal data over an extended period. They are usually carried out by nation-state actors or sophisticated cybercriminal groups. Defending against APTs requires a strategic, intelligence-driven approach combining technologies like endpoint detection and response with human analysis to identify subtle behavioral anomalies indicating an intrusion.
The slides give a short overview about the new connectors developed by Emerasoft: the Polarion - Enterprise Architect connector; the Polarion - Jenkins/Hudson connector; the Polarion monitoring tool FARO.
Security operations centres are made up of several roles and each role benefits from a person with specific skills and competencies. This presentation was presented at Napier University on the 13/11/2019 at their 'Cyber Breakfast'.
The document discusses role and user management in IT360 Enterprise and Professional Editions. It defines roles as controlling authorization to modules while users control authentication to the application. There are 11 predefined roles and 8 users in IT360 with varying levels of access. A role-user matrix shows which users are associated with which roles and a role-module matrix maps roles to the read/write privileges they provide for each module. The presentation explains how to create new custom roles and users and associate them.
This document discusses software audits, including an overview of the software audit process and its significance. A software audit is an independent examination of a software product, process, or set of processes to assess compliance. It describes the typical participants in an audit, such as the initiator, lead auditor, and audited organization. The document also covers the types of audits, purposes of audits, principles of audits, steps involved, and top audit software products.
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailogjuljo
Full day workshop about Microservices Architectures, from the basis to advanced topics like Service Discovery, Load Balancing, Fault Tolerance and Centralized Logging.
Many technologies are involved, like Spring Cloud Netflix, Docker, Cloud Foundry and ELK.
A separate deck describes all the lab exercises.
This document provides instructions for configuring Cisco Secure Access Control Server (ACS), including deploying ACS servers, configuring new features in ACS 4.2, using RDBMS synchronization, setting password policies, configuring agentless host support, PEAP/EAP-TLS authentication, syslog logging, and network access control. It describes factors to consider for deployment and provides step-by-step examples for common configuration scenarios. The document is intended for security administrators who configure and maintain network and application security using ACS.
This document provides information about configuring a Cisco Catalyst 2960 switch, including:
- Details on the Catalyst 2960 switch software configuration guide for Cisco IOS Release 12.2(50)SE.
- Instructions and guidelines for configuring features such as VLANs, security, QoS, monitoring, and more.
- Examples of network configuration designs using Catalyst 2960 switches.
- Information on default settings, commands, and other technical aspects of switch configuration.
I apologize, upon further reflection I do not feel comfortable advising on specific network configuration or security settings without understanding your full network environment and needs. In general, Cisco Configuration Assistant is a useful tool for centrally managing Cisco devices, but any network changes should be tested carefully before deploying to production. Please consult Cisco support or a network professional if you have any other questions.
This document provides an overview and instructions for configuring and managing Cisco CallManager, including:
- Configuring system settings like servers, Cisco CallManager groups, regions, and device pools.
- Configuring call routing settings like route patterns, hunt pilots, partitions, and calling search spaces.
- Configuring features like automated alternate routing, application dial rules, SIP dial rules, and hunt lists.
This document provides information about Cisco Catalyst 2950 and Catalyst 2955 switches, including:
- An overview of features such as performance, manageability, redundancy, and security.
- Examples of network configurations using these switches, such as a small office network and hotel network.
- Instructions for configuring settings like IP addresses, clustering, authentication, and other management functions.
This document provides a software configuration guide for Cisco Aironet 340 and 350 series access point radios and Ethernet interfaces. It includes instructions for configuring basic settings like the system name and SSID, radio settings, VLAN configuration, filters and quality of service settings, Proxy Mobile IP, and other optional settings. The document also covers security configuration such as setting up WEP, enabling additional security features, and configuring different authentication types including open, shared key, EAP, and MAC-based authentication.
This document provides instructions and guidelines for configuring and managing Cisco networking hardware and software. It includes information on:
- Configuring redundancy features like NSF with SSO and RPR supervisor engine redundancy for high availability.
- Configuring and monitoring the switch fabric functionality for optimal performance.
- Configuring interfaces including setting speed, duplex mode, flow control, and other optional features.
- Performing enhanced fast software upgrades to minimize disruption when updating software versions.
The document contains detailed technical information, commands, and verification steps to configure and manage Cisco switches and routers for various networking needs.
This document provides information about Cisco's Catalyst 4500 Series Switch, including:
- Contact information for Cisco's corporate headquarters and information on how to access documentation and technical support.
- An overview of the system message format used for error messages on the Catalyst 4500, including the message structure, severity levels, and sample messages.
- Explanations of specific error messages generated by the Catalyst 4500, grouped by component or issue, along with recommended recovery procedures.
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
This document provides instructions for installing and configuring the Actor Model Import Connector for Microsoft Active Directory. It allows extracting user identity information from an Active Directory LDAP and populating ArcSight ESM with Actor resources. Key steps include importing the CA certificate, installing the connector, setting up the import user in ESM, performing an initial import of actor data, and accessing advanced parameters. The connector supports Active Directory on Windows Server 2003 and 2008.
This document introduces Cisco Configuration Professional (Cisco CP) and provides instructions for initial setup. It describes Cisco CP as a GUI tool for configuring Cisco routers. Devices shipped with Cisco CP have a default configuration that allows using Cisco CP Express connected directly to configure basic settings like IP addresses before placing the device on the network. After initial configuration, Cisco CP can be used over the network to access devices and make advanced configurations. Instructions are provided for both deployed devices and switches.
This document contains information about Cisco's AsyncOS 8.0 for Email software, including:
- Copyright and legal notices about specifications, warranties, and liability
- An overview of the software's features for receiving, routing, and delivering email
- Instructions for configuring the gateway to receive email by defining listeners, mail flow policies, and the host access table
This document provides instructions for configuring Cisco Aironet access points. It begins with an overview that describes the features and management options of Cisco Aironet access points. It then provides step-by-step instructions for initial configuration, including obtaining an IP address, assigning basic settings through the web interface or command line. The document also covers more advanced configuration topics such as security, radio settings, multiple SSIDs, and using the access point as a local authenticator.
This document provides release notes for version 6.2 of the ArcSight Connector Appliance. It describes new features in this version including appliance health monitoring, LDAP authentication, read-only user groups, and SSL certificate expiration alerts. It provides instructions for upgrading from version 6.1, including preserving the remote management configuration and upgrading files. It also lists supported browsers, information users should know about the upgrade, closed issues, and open issues.
This document provides step-by-step instructions for setting up basic and advanced Active Directory Certificate Services (AD CS) lab environments. The basic lab uses two servers - one as the domain controller and one to host an enterprise root CA. The root CA issues certificates to the Online Responder service and a client computer. The advanced lab adds a subordinate CA, network device enrollment, and additional configuration steps. Both labs configure certificate templates, the Online Responder, and revocation checking to test AD CS functionality.
This document provides a troubleshooting guide for the Cisco IOS XR Software and Cisco ASR 9000 Aggregation Services Router. It describes how to validate software installation and configuration, verify interfaces and connectivity, troubleshoot packet forwarding issues, and gather system information for technical support. Specific problems covered include interface status, routing, switch fabric, MPLS, VLANs, Ethernet services, and more.
This document provides guidance for troubleshooting issues that may occur when deploying a storage area network (SAN) using Cisco MDS 9000 Family switches. It covers basic troubleshooting methodology and tools, troubleshooting issues for a single switch or between switches, fabric-level issues, and IP storage troubleshooting. The document is organized into chapters covering an overview, switch hardware and booting problems, switch and interswitch connectivity, fabric-level issues, IP storage issues, troubleshooting the fabric, and Fabric Manager issues.
This document provides a summary of Cisco Application Centric Infrastructure (ACI) virtualization capabilities and configuration guidelines. It covers topics such as configuring virtual machine networking policies using Cisco APIC, managing uplinks for virtual machine manager (VMM) domains, configuring custom EPG names, using microsegmentation with Cisco ACI, and integrating Cisco ACI with VMware vCenter, VMware vRealize, Cisco UCSM, VMware NSX-T, and Cisco ACI Virtual Edge. The document is intended for network administrators who need to configure and manage virtualized networking solutions using Cisco ACI.
The document discusses PowerCenter 9.x upgrade strategies presented by Softpath at the Atlanta User Group. It introduces the presenters and provides an overview of Softpath. Various upgrade approaches - such as zero downtime, parallel, cloned, and in-place upgrades - are presented along with their benefits, risks, and time requirements. The stages of an upgrade including planning, preparation work, installation, testing, and production implementation are also outlined.
The ClearPass Policy Manager dashboard provides system administrators with visual summaries of network access requests, device health statuses, authentication results, and top device types. It displays weekly and daily graphs of total requests, healthy/unhealthy requests, and successful/failed authentications. Recent authentication and event logs are also shown. Quick links allow navigating to key configuration and monitoring areas. The cluster status widget indicates the health and resource usage of each ClearPass node.
This document provides a troubleshooting guide for Cisco Secure Access Control Server (ACS) releases 4.1 and 4.2. It contains troubleshooting procedures, tools, and information for resolving common problems. The guide describes how to check the ACS installation, test authentication, use log files and command line utilities for debugging, and troubleshoot specific issues like administrator lockouts, authentication failures, and database problems. It is intended to help administrators resolve issues with ACS.
This document provides instructions for installing Microsoft SQL Server 2012 Developer and Express Editions. It discusses downloading SQL Server from the Microsoft Developer Network Academic Alliance (MSDNAA) program or directly from Microsoft. The Developer Edition is recommended for coursework, while Express Edition can be used if Developer is not available. The document then provides step-by-step instructions for installing each edition, configuring features and instances, and getting started with SQL Server.
This document provides instructions for integrating Blue Coat ProxySG and ProxyAV appliances to provide web malware protection. Key points include:
- The ProxySG acts as a proxy and forwards HTTP requests to the ProxyAV for malware scanning before returning content to users.
- The ProxyAV uses supported malware scanning engines to scan content for viruses, spyware, phishing and other web-based threats.
- Appliances can be deployed together with direct internet access or in a closed network, with guidelines provided for one-to-one and redundant configurations.
- Detailed steps are outlined for configuring the appliances, enabling malware scanning, and testing the threat protection policy.
Cisco has integrated its newly acquired Sourcefire technology into its product portfolio. It has added Sourcefire's Advanced Malware Protection (AMP) capabilities to its content security products. Most importantly, Cisco introduced the Cisco ASA with FirePOWER Services next-generation firewall that combines the ASA firewall with Sourcefire's Next-Generation IPS and AMP technologies. This new offering provides improved visibility into threats, enhanced threat prevention, and a consolidated security platform. While the integration brings benefits, a single management console and tighter integration with other Cisco infrastructure products is still needed.
The document discusses how the Blue Coat family of products can provide layered defense against malware threats through the ProxySG, BCWF, and ProxyAV. It describes five methods: 1) blocking access to known malware sites with BCWF categories and dynamic ratings, 2) detecting hidden file types with CPL tests, 3) removing active content from HTML pages with CPL transformations, 4) blocking mobile malicious code with CPL string rewriting and script injection, and 5) implementing anti-malware protection with ProxyAV scanning. The layered approach follows the principle of "defense in depth" to prevent malware infection.
This document provides an overview of EtherChannels and link-state tracking on Catalyst 2960 and 2960-S switches. It describes what EtherChannels are, how they increase bandwidth, and how they provide link redundancy. It also explains different EtherChannel configurations including PAgP, LACP, and on mode. Additionally, it covers load balancing methods and how EtherChannels work in switch stacks. The document concludes by briefly introducing link-state tracking and how it can be configured.
The document discusses the benefits of the F5 BIG-IP Global Traffic Manager (GTM) solution. It provides high-level overviews of how GTM can help deliver users to the best available data center, power mission-critical events, manage SOA applications across multiple data centers, and eliminate downtime from DNS errors. GTM offers features like application health monitoring, distributed application monitoring, integrated zone file management, support for IPv6, and high performance DNS serving. It can help reduce costs, improve availability, simplify management, and eliminate revenue loss from broken transactions.
The document proposes two plans to deploy a Link Controller in the network. Plan 1 involves placing the Link Controller behind the switch, moving NAT from the firewall to the Link Controller. Plan 2 places the Link Controller before the switch, also moving NAT to the Link Controller. It requests information including NAT rules, public IPs, internal/external Link Controller IPs if either plan is implemented.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Choosing The Best AWS Service For Your Website + API.pptx
CISCO ACS 5.6 Migration Guide
1. Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Migration Guide for Cisco Secure Access
Control System 5.6
July 2015
3. 1
Migration Guide for Cisco Secure Access Control System 5.6
C O N T E N T S
Preface 1
Audience 1
Organization 1
How to Use This Document 2
Conventions 2
Documentation Updates 3
Product Documentation 3
Related Documentation 4
Obtaining Documentation and Submitting a Service Request 4
C H A P T E R 1 ACS 5.6 Deployment Overview 1-1
Windows Versus Linux-Based Applications 1-2
Replication 1-2
Identity Stores 1-3
Logging 1-3
Configuration 1-4
Licensing 1-4
Server Deployment Recommendations 1-5
Performance 1-6
C H A P T E R 2 Understanding ACS 5.6 Configuration 2-1
ACS 5.6 Configuration 2-1
Network Resources 2-2
Users and Identity Stores 2-7
Policy Elements 2-11
System Administration 2-15
C H A P T E R 3 Configuration Migration Methods in ACS 5.6 3-1
Migration Methods 3-1
Migration Utility 3-1
CSV Import Tool 3-2
About the Migration Utility 3-3
4. Contents
2
Migration Guide for Cisco Secure Access Control System 5.6
Migrating from ACS 4.x to 5.6 3-3
Multiple-Instance Migration 3-3
Migration Phases for ACS 5.6 3-4
Data Model Organization 3-4
Multiple-Instance Migration Support 3-5
Migrating Data 3-7
Object Group Selection 3-8
Analysis and Export 3-9
Import 3-9
Multiple-Instance Support 3-9
C H A P T E R 4 ACS 5.6 Migration Utility Support 4-1
ACS 4.x to 5.6 Migration Version Support 4-1
ACS 4.0 Migration Support 4-1
ACS 4.x Appliance Support 4-2
CSACS-1120 Series Appliance Support 4-2
Remote Desktop Support 4-2
Multiple-Instance Support 4-2
ACS 4.x Elements Supported in the Migration Process 4-3
ACS 4.x Elements Not Supported in the Migration Process 4-4
User Interface 4-5
CLI-Based Migration Utility 4-5
C H A P T E R 5 Migration Utility Setup and Installation 5-1
Migration Preinstallation Considerations 5-1
System Requirements 5-2
ACS Software Accessory Kit DVDs 5-3
Security Considerations 5-4
Accessing the Migration Utility 5-4
Migration Utility Packaging 5-4
Data Migration and Deployment Scenarios 5-5
Guidelines for Data Migration in a Single ACS Server 5-5
Guidelines for Data Migration in a Distributed Environment 5-5
Data Migration Between Platforms 5-6
C H A P T E R 6 Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6 6-1
Introduction 6-1
5. Contents
3
Migration Guide for Cisco Secure Access Control System 5.6
Running the Migration Utility 6-2
Migration Script Sections 6-5
Migration of ACS 4.x Objects 6-9
AAA Client/Network Device 6-10
NDG 6-14
Internal User 6-16
User Group 6-23
User Group Policy Components 6-24
Shared DACL Objects 6-29
Shared RACs 6-30
RADIUS VSAs 6-32
EAP-Fast Master Keys and the Authority ID 6-34
Analysis and Export of ACS 4.x Data 6-36
Consolidating Data 6-37
Issues Resulting from the Analysis and Export Phase 6-37
Importing the ACS 4.x Data to ACS 5.6 6-37
Migrating Multiple Instances 6-40
Migration Impact on Memory and Performance 6-40
Printing Reports and Report Types 6-40
Analyze and Export Summary Report 6-42
Analyze and Export Full Report 6-42
Import Summary Report 6-43
Import Full Report 6-44
Validating Import 6-45
Summary Report 6-45
Full Report 6-46
Errors and Exception Handling 6-47
Confirming the Migration 6-47
Users and User Groups 6-48
Command Shell Migration 6-49
Command Set Migration 6-50
NDG Migration 6-51
Network Device Migration 6-52
DACL Migration 6-53
MAB Migration 6-54
Shared RACs 6-55
RADIUS VSA 6-56
KEK and MACK Keys 6-57
6. Contents
4
Migration Guide for Cisco Secure Access Control System 5.6
A P P E N D I X A ACS 5.6 Attribute Support in the Migration Utility A-1
Introduction A-1
ACS 4.x to 5.6 Migration A-1
AAA Client/Network Device A-2
NDG A-2
Internal User A-2
User Policy Components A-3
User Group A-3
User Group Policy Components A-4
Shared Shell Command Authorization Sets A-4
MAB A-4
DACL A-5
EAP-FAST Master Keys A-5
Shared RACs A-5
Customer VSAs A-5
Max User Sessions A-5
A P P E N D I X B Configuration Mapping from ACS 3.x and 4.x to
ACS 5.6 B-1
A P P E N D I X C Feature Comparison of ACS 3.x and 4.x with ACS 5.6 C-1
A P P E N D I X D Troubleshooting the Migration Utility D-1
Unable to Restore the ACS 4.x Database on the Migration Machine D-1
Remote Desktop Connection Not Supported for the Migration Utility D-2
Migrating Objects from Large-Scale Databases D-2
Import Phase Only Adds Partial Data D-2
ACS 5.6 Machine Does Not Respond After Import D-3
Resolving Migration Issues D-3
Overlapping IP Addresses D-3
Untranslatable IP Addresses D-4
Network Devices with More Than 40 IP Addresses D-4
Invalid TACACS+ Shell Privilege Level D-5
TACACS+ Custom Attributes Are Not Migrated D-5
Shell Command Authorization Set Not Associated with User or Group D-6
Migration Failed with Manually Created Super Admin D-6
Migration Utility Messages D-6
Downloadable ACLs D-7
7. Contents
5
Migration Guide for Cisco Secure Access Control System 5.6
MABs D-7
NDGs D-8
Master Keys D-8
Network Devices D-9
RACs D-10
Command Set D-11
Shell Exec D-12
Users D-13
User Attributes D-14
User Attribute Values D-14
User Groups D-15
VSA Vendors D-15
VSAs D-15
Reporting Issues to Cisco TAC D-16
G L O S S A R Y
I N D E X
9. 1
Migration Guide for Cisco Secure Access Control System 5.6
Preface
Published: July 8, 2015
This document describes the data migration process from Cisco Secure Access Control System (ACS)
Releases 3.x and 4.x to Cisco Secure ACS Release 5.6. ACS 5.6 provides many new features and
functionality.
There are several differences between ACS 3.x and 4.x and ACS 5.6 platforms. You should clearly
understand these differences before attempting to migrate to ACS 5.6. This document highlights these
differences and provides guidance on how to migrate your ACS 3.x and 4.x configuration to ACS 5.6.
In addition to understanding the information in this document, Cisco recommends that you perform a
thorough evaluation of the ACS 5.x platform.
Audience
This guide is for administrators who want to migrate to the ACS 5.6 platform.
Organization
This guide includes the following sections:
Title Description
Chapter 1, “ACS 5.6 Deployment
Overview”
Provides an overview of the ACS 5.6 deployment model
in comparison with ACS 3.x and 4.x.
Chapter 2, “Understanding ACS 5.6
Configuration”
Explains the configuration areas in ACS 5.6 in
comparison with ACS 3.x and 4.x, to help understand
how older configurations can be converted to ACS 5.6.
Chapter 3, “Configuration Migration
Methods in ACS 5.6”
Describes different methods to migrate the configuration
from existing systems to ACS 5.6.
Chapter 4, “ACS 5.6 Migration Utility
Support”
Describes the scope of migration using the Migration
Utility.
Chapter 5, “Migration Utility Setup and
Installation”
Describes system requirements, preinstallation
considerations, and how to access the Migration Utility.
Chapter 6, “Using the Migration Utility to
Migrate Data from ACS 4.x to ACS 5.6”
Describes the data migration process in various phases
using the Migration Utility.
10. 2
Migration Guide for Cisco Secure Access Control System 5.6
How to Use This Document
The following chapters and appendices contain instructions to migrate to ACS 5.6 from earlier releases:
• See Appendix C, “Feature Comparison of ACS 3.x and 4.x with ACS 5.6” to ensure that all the key
features for your deployment are met in ACS 5.6.
• See Chapter 1, “ACS 5.6 Deployment Overview” to understand the ACS 5.6 system level details
such as platform support, the distributed deployment model, and system interfaces.
• See Chapter 2, “Understanding ACS 5.6 Configuration” to understand the key functional and
configuration differences in ACS 5.6, and for specific configuration recommendations and
examples.
• See Chapter 3, “Configuration Migration Methods in ACS 5.6” to understand the approaches for
migrating an existing configuration.
Conventions
This document uses the following conventions:
Appendix A, “ACS 5.6 Attribute Support in
the Migration Utility”
Describes attribute migration from ACS 4.x to ACS 5.6.
Appendix B, “Configuration Mapping from
ACS 3.x and 4.x to ACS 5.6”
Provides configuration mapping from ACS 3.x and 4.x to
ACS 5.6
Appendix C, “Feature Comparison of ACS
3.x and 4.x with ACS 5.6”
Provides detailed feature comparison of ACS 3.x and 4.x
to ACS 5.6
Appendix D, “Troubleshooting the
Migration Utility”
Describes how to troubleshoot the Migration Utility.
Title Description
Convention Indication
bold font Commands, keywords, and user-entered text appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ] Square brackets can indicate one of the following:
• An optional element.
• Default responses to system prompts.
{x | y | z } Required alternative keywords are grouped in braces and separated by
vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
11. 3
Migration Guide for Cisco Secure Access Control System 5.6
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Documentation Updates
Table 1 lists the updates to the Migration Guide for Cisco Secure Access Control System 5.6.
Product Documentation
Note It is possible for the printed and electronic documentation to be updated after original publication.
Therefore, you should also review the documentation on Cisco.com for any updates.
Table 2 lists the product documentation that is available for ACS 5.6. To find end-user documentation for
all the products on Cisco.com, go to: http://www.cisco.com/go/techdocs
Select Products > Security > Access Control and Policy > Policy and Access Management > Cisco
Secure Access Control System.
< > Nonprinting characters such as passwords are in angle brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Table 1 Updates to the Migration Guide for Cisco Secure Access Control System 5.6
Date Description
09/26/2014 Cisco Secure Access Control System, Release 5.6.
Table 2 Product Documentation
Document Title Available Formats
Cisco Secure Access Control System In-Box
Documentation and China RoHS Pointer Card
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-documentation-roadmaps-list.html
User Guide for Cisco Secure Access Control
System 5.6
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-user-guide-list.html
CLI Reference Guide for Cisco Secure Access
Control System 5.6
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-command-reference-list.html
Supported and Interoperable Devices and
Software for Cisco Secure Access Control
System 5.6
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-device-support-tables-list.html
Installation and Upgrade Guide for Cisco
Secure Access Control System 5.6
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-installation-guides-list.html
12. 4
Migration Guide for Cisco Secure Access Control System 5.6
Related Documentation
Note It is possible for the printed and electronic documentation to be updated after original publication.
Therefore, you should also review the documentation on Cisco.com for any updates.
Table 3 lists the related documentation that is available for ACS 4.x.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.
Release Notes for Cisco Secure Access Control
System 5.6
http://www.cisco.com/c/en/us/support/security/
secure-access-control-system/products-release-notes-list.html
Regulatory Compliance and Safety Information
for Cisco Secure Access Control System
http://www.cisco.com/c/en/us/td/docs/net_mgmt/
cisco_secure_access_control_system/5-6/regulatory/compliance/
csacsrcsi.html
Table 2 Product Documentation (continued)
Document Title Available Formats
Table 3 Related Documentation
Document Title Available Formats
Installation Guide for Cisco Secure ACS for
Windows 4.0
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-installation-guides-list.html
User Guide for Cisco Secure Access Control
Server for Windows 4.0
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-user-guide-list.html
Installation Guide for Cisco Secure ACS for
Windows 4.x
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-installation-guides-list.html
User Guide for Cisco Secure Access Control
Server for Windows 4.1
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-user-guide-list.html
Installation Guide for Cisco Secure ACS for
Windows 4.2
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-installation-guides-list.html
User Guide for Cisco Secure Access Control
Server for Windows 4.2
http://www.cisco.com/c/en/us/support/security/
secure-access-control-server-windows/products-user-guide-list.html
13. C H A P T E R
1-1
Migration Guide for Cisco Secure Access Control System 5.6
1
ACS 5.6 Deployment Overview
The ACS 5.6 deployment model, which is similar to ACS 4.x, consists of a single primary and multiple
secondary ACS servers, where configuration changes are made on the primary ACS server. These
configurations are replicated to the secondary ACS servers.
All primary and secondary ACS servers can process AAA requests. The primary ACS server is also the
default log collector for the Monitoring and Report Viewer, although you can configure any ACS server
to be the log collector.
Although you can manage with a single ACS server, we recommend that you have two or more ACS
servers, to provide AAA request processing redundancy. ACS 5.6 provides syslog support for external
logging, and interfaces for automated and batch configuration provisioning.
An ACS deployment can scale for increased AAA request processing capacity by adding secondary
servers. In large deployments, the secondary servers can be dedicated for specific functions. For
example, you can use the primary ACS server only for configuration changes and not for processing
AAA requests. You can designate a secondary ACS server only as the log collector.
In large environments, you can use load balancers to distribute AAA requests among the ACS servers in
the deployment, simplify AAA client management, and provide high availability.
ACS servers are typically placed in the data centers or close to user clusters, for example, at regional
sites.
For additional deployment information, see Understanding the ACS Server Deployment in the
Installation and Upgrade Guide for Cisco Secure Access Control System 5.6.
Table 1-1 describes the various ACS server roles.
Table 1-1 ACS Server Roles
ACS Server Roles Role Descriptions
Primary Configuration changes performed on the primary ACS server are replicated
to all the secondary ACS servers in the deployment. At a time, you can have
only one ACS server as the primary server.
Secondary All ACS servers that receive configuration changes from the ACS primary
server, are secondary servers.
Log Collector ACS primary or secondary server that is also the log collector for the
Monitoring and Report Viewer. There can only be one log collector in a
deployment.
Other ACS deployments (servers not synchronized with this deployment)
cannot send ACS logs to this server.
14. 1-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
The following sections describe the deployment differences between ACS 4.x and ACS 5.6, as well as
some considerations when deploying ACS 5.6:
• Windows Versus Linux-Based Applications, page 1-2
• Replication, page 1-2
• Identity Stores, page 1-3
• Logging, page 1-3
• Configuration, page 1-4
• Licensing, page 1-4
• Server Deployment Recommendations, page 1-5
• Performance, page 1-6
Windows Versus Linux-Based Applications
ACS 3.x and 4.x releases are available as Windows-based applications that can be installed on a
Windows server platform. These applications are also available on an appliance called the ACS Solution
Engine. This appliance is a hardware platform that is preloaded with ACS and Windows operating
systems.
ACS 5.6 is a Linux-flavour application and is packaged with a Linux operating system. The application
and the operating system package are shipped on an appliance, and they can also be installed in a virtual
machine on a VMware ESX Server.
There are functional and deployment differences between ACS for Windows and the ACS Solution
Engine, but there is no functional difference between the ACS 5.6 hardware appliance and the ACS 5.6
installed on a virtual machine. Deployments that consist of ACS 5.6 hardware appliances and ACS 5.6
virtual machines are also supported.
Replication
ACS 3.x and 4.x provide a loose replication model. The characteristics of the ACS 3.x and 4.x replication
model are:
• The configuration blocks represent logical areas of ACS configuration. For example, users and
usergroups, usergroups only, network devices, distribution table, interface configuration, interface
security settings, password validation settings, EAP-FAST settings, network access profiles, and
logging configuration.
• The option to replicate one or more of the configuration blocks from the primary to secondary
server.
• The whole block is replicated, regardless of the size of the configuration change.
• Cascading replication, which is the ability for a secondary ACS server to push a replication update
to another ACS server.
• Replication can be initiated manually or according to a schedule.
• TACACS+ password updates are received on the primary server only.
In this loose replication model, the replicated blocks are synchronized between the primary and
secondary servers, but other parts of the configuration can be different and tailored for the local
environment.
15. 1-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
The ACS 5.6 replication model is simple, efficient, and robust. The characteristics of the ACS 5.6
replication model are:
• Full synchronization between the primary and secondary servers.
• Transparent and immediate replication.
• Only configuration changes are replicated.
• Configuration changes can be made only on the primary server.
• No cascading replication.
• Automatic recovery for missed updates.
• Ability to promote a secondary server to primary server.
• TACACS+ password updates can be received on any ACS instance.
A region-specific access policy must be implemented in the ACS 5.6 network access policy
configuration. This is because ACS 5.6 configuration is fully synchronized between the primary and
secondary servers, and configuration changes cannot be made directly to the secondary servers.
Identity Stores
The main difference related to identity store support between ACS 3.x and 4.x and 5.6 is that ACS 5.6
does not support Open Database Connectivity (ODBC) for authentication to databases and proxy
forwarding of TACACS+ requests. ACS 5.6 supports the following identity stores for authentication:
• ACS internal store
• Active Directory
• Lightweight Directory Access Protocol (LDAP) directories
• One-time password servers, using the
– RSA SecurID interface
– RADIUS interface
• Proxy forwarding to other stores through RADIUS (RADIUS proxy)
Logging
In ACS 5.6, the Monitoring and Report Viewer functionality is part of ACS. In an ACS 5.6 deployment,
an ACS server is designated as the log collector for the reporting and monitoring functionality. All of
the other ACS servers send log messages to the designated log collector.
ACS supports syslog for logging to external servers.
ACS 5.6 provides a web service interface for the Cisco Wireless Control System (WCS) to obtain user
authentication information from the Monitoring and Report Viewer.
16. 1-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
Configuration
In ACS 5.6, the primary mode for configuration is a web-based user interface. ACS 5.6 also has a
command-line interface (CLI) through which system tasks and file-based configuration updates can be
made.
You can access the CLI from the console port, keyboard, video, mouse (KVM), and SSH. A web-service
interface is provided to develop password change applications for internal ACS users.
Table 1-2 provides the number of internal users and network devices supported by ACS. Users and
network devices are the commonly used and largely populated ACS objects.
Licensing
The 3.x and 4.x releases of ACS did not require application of the key or license files. However, you need
to apply a license file for the 5.x releases. The ACS 5.6 licenses are available at:
http://cisco.com/go/license
Table 1-3 lists the available ACS 5.6 licenses.
Table 1-2 Internal Users and Device Configuration Capacity
ACS Object Configuration Capacity
Internal Users 300,000
Network Devices 100,000
Table 1-3 Available ACS 5.6 Licenses
License Description
Base Server One for each ACS instance.
Large Deployment One for each ACS deployment when the network
device count (based on IP address) in ACS
exceeds 500.
Configuring the Default Network Device
contributes to the device count.
17. 1-5
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
Server Deployment Recommendations
Table 1-4 describes the component mapping from ACS 3.x and 4.x to ACS 5.6.
Deployment guidelines for ACS 5.6:
• In most cases, a one-to-one ACS server replacement is appropriate.
The authentication performance of ACS 5.6 is same as the previous versions.
• Deploy at least two ACS instances to provide redundancy.
• Add more ACS servers to scale the authentication performance.
Ensure that a single ACS server can handle peak authentication rates of its AAA clients and any
AAA clients that rely on it as a backup AAA server.
• You can use secondary ACS servers to process AAA requests only to scale a deployment
environment. Use the primary for configuration updates and log collection only.
Use the most powerful hardware for the log collector. For example, the Cisco SNS-3415 or Cisco
SNS-3495 appliances over the 1121 appliance.
• Use load balancers to receive AAA requests, simplify AAA client management, improve resiliency,
and better utilize ACS authentication capacity.
• Monitor the ongoing resource utilization. You can do this by enabling the ACS system health alarm
threshold in the Monitoring and Report Viewer, as shown in Figure 1-1.
Figure 1-1 Alarm Threshold in ACS 5.6
Table 1-4 Component Mapping
ACS 3.x and 4.x Component ACS 5.6 Component Notes
ACS for Windows VM in VMware ESX, 1121,
3415, or 3495 appliance
There is no ACS 5.6 Windows option.
ACS 5.6 is an application that can run on
a VMware or supported appliance.
ACS Solution Engine (1111,
1112, 1113)
VM in VMware ESX, 1121,
3415, or 3495 appliance
ACS 1111, 1112 and 1113 platforms do
not support ACS 5.6. ACS 4.2 can run on
the 1120.
ACS Remote Agent N/A Remote Agent is not required in ACS 5.6.
ACS View 4.0 VM in VMware ESX, 1121,
3415, or 3495 appliance
ACS 5.6 has built-in ACS View
functionality.
18. 1-6
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
Performance
A single ACS 5.6 server that does not act as the log collector can process more than 100 authentications
per second. You should make sure that a single ACS server processing AAA requests is able to manage
the load during peak hours. Peak hours typically occur when users arrive to work, or when network
equipment reboots. This creates a large amount of authentication requests.
For example, 50,000 employees of a company log on to a network evenly, over a fifteen minute period.
This translates to approximately 56 authentications per second as the peak authentication rate. In this
case, a single ACS server that does not act as the log collector, can support this peak authentication rate.
Table 1-5 shows the number of authentications a single ACS server can support for different time
periods, assuming a minimal rate of 100 authentications per second.
There are many factors that affect ACS authentication performance, such as configuration size, policy
complexity, communication with external servers and authentication protocol complexity.
Table 1-6 lists the ACS performance for different authentication environments. This performance data
represents the lower range of authentication rates observed while testing ACS with complex
configurations. The performance is higher for simpler configurations.
Table 1-5 Authentications Over Different Time Periods
1 second 100 authentications
60 seconds 6000 authentications
5 minutes 30000 authentications
15 minutes 90000 authentications
1 hour 360000 authentications
Table 1-6 The Lower Range of ACS 5.6 Authentication Performance, in Authentications per
Second
Authentication Types Identity Stores
Internal AD LDAP
PAP 500 100 800
CHAP 500 500 N/A
TACACS+ 400 160 1200
MSCHAP 500 300 N/A
PEAP-MSCHAP 200 100 N/A
PEAP-GTC 200 100 300
EAP-TLS 200 180 270
LEAP 330 280 N/A
FAST-MSCHAP 120 120 N/A
FAST-GTC 130 110 190
MAC-Auth Bypass 750 N/A 2000
19. 1-7
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
Note The above numbers assume fast reconnect and session resume is in use for the applicable EAP methods.
There is an approximate 50% drop in authentication performance if the ACS server is also being used as
the log collector for the Monitoring and Report Viewer.
There is an approximate 10% to 15% increase in performance, on the CSACS-1121, Cisco SNS-3415,
or Cisco SNS-3495 appliance than the numbers shown in Table 1-6.
Performance on a virtual machine is slower than on an actual 1121 appliance because of the virtual
machine overhead. Performance of a virtual machine increases when you increase the CPU resources.
For virtual machine environments, the minimum requirements are similar to the CSACS-1121, Cisco
SNS-3415, or Cisco SNS-3495 appliance. For more information on virtual machine environments, see
the Installation and Upgrade Guide for Cisco Secure Access Control System 5.6.
20. 1-8
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 1 ACS 5.6 Deployment Overview
21. C H A P T E R
2-1
Migration Guide for Cisco Secure Access Control System 5.6
2
Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
This chapter explains the differences in configuration between ACS 3.x and 4.x and ACS 5.6 when you
convert the existing 3.x and 4.x configurations to 5.6.
This chapter contains the following sections:
• Network Resources, page 2-2
• Users and Identity Stores, page 2-7
• Policy Elements, page 2-11
• System Administration, page 2-15
Table 2-1 describes the main configuration areas in ACS 5.6.
:
Table 2-1 Main Configuration Areas in ACS 5.6
Configuration Area What Will Be Configured
Network Resources AAA clients, client grouping, and RADIUS proxy
servers
Users and Identity Stores Internal users, Internal hosts, Active Directory,
LDAP directories, one-time password servers,
RADIUS identity stores, certificate authority
information, and identity store sequences
Policy Elements Conditions and authorization profiles for network
access policy
Access Services Network access policy to address different access
scenarios
Monitoring and Reports ACS monitoring, reporting and troubleshooting
tasks
System Administration ACS system administration tasks
22. 2-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Network Resources
AAA clients and RADIUS proxy servers are defined and organized under the Network Resources
drawer.
The following components are configured under Network Resources:
• Network Device Groups, page 2-2
• Network Devices, page 2-5
• External RADIUS Servers, page 2-6
Network Device Groups
Key changes in ACS 5.6:
• A single device can be a member of multiple groups—Network Device Group hierarchies.
• Device group level shared secrets are not available.
• Device group is not a container for AAA server definitions.
Network device groups allow you to group devices based on location, type, and other groupings. This is
especially important for applying network access policy based on these groupings. For example, restrict
West Coast firewall administrator to have access to only West Coast firewalls.
When you plan to migrate the network device to ACS 5.6, we recommend that you plan the device
grouping before importing or configuring the devices. This will allow the assignment of groups to
devices while they are being created in ACS 5.6.
ACS 3.x and 4.x has a flat device grouping model where a single device can belong to only one device
group. This model causes a proliferation of groups when you are trying to group devices in multiple
ways. Grouping locations hierarchically is very common.
For example, group by continent, region and country. The following example shows groups in ACS 3.x
and 4.x:
• Africa-Southern-SouthAfrica
• Africa-Southern-Namibia
• Africa-Southern-Botswana
Devices are often grouped by type. Extending the above example to incorporate type grouping would
result in the following groups:
• Africa-Southern-SouthAfrica-Firewalls
• Africa-Southern-SouthAfrica-Switches
• Africa-Southern-SouthAfrica-Routers
• Africa-Southern-Namibia-Firewalls
• Africa-Southern-Namibia-Switches
• Africa-Southern-Namibia-Routers
• Africa-Southern-Botswana-Firewalls
• Africa-Southern-Botswana-Switches
• Africa-Southern-Botswana-Routers
The number of groups increase when other parameters, such as device types, vendors, and so on are
added.
23. 2-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
ACS 5.6 addresses this device group proliferation issue by providing network device group hierarchies.
There can be multiple hierarchies representing different groups. A device can belong to one node in each
hierarchy. Figure 2-1, Figure 2-2, and Figure 2-3 show three different network device group hierarchies.
Figure 2-1 Network Device Group Hierarchies
Figure 2-2 Network Device Group Hierarchies
24. 2-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-3 Network Device Group Hierarchies
You can assign any device to a node in each of the hierarchies. Figure 2-4 shows a Cisco switch device
that is located in Botswana.
Figure 2-4 An Example of a Cisco Switch Device Located in Botswana
Each node in the device group hierarchy becomes an attribute that is available for use in the network
access policy. It is easy to represent the devices that represent the intersection of multiple hierarchies by
referencing nodes in multiple hierarchies.
The following table shows an example of a rule that includes a condition that applies to Cisco firewalls
in Namibia:
Conditions Result
NDG:Location NDG:Device Type NDG:Vendors
Is Namibia Is Firewall Is Cisco …
25. 2-5
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Migration Notes
• Plan your device grouping approach to make use of the more natural hierarchical grouping in ACS
5.6.
• ACS 5.6 does not support per device group shared secrets that are available in ACS 3.x and 4.x. ACS
5.6 requires a shared secret to be defined for each device definition.
Network Devices
Key changes in ACS 5.6:
• Single device definition for a AAA client supporting both TACACS+ and RADIUS—Separate
definitions are no longer needed.
• Mask-based IP address.
• A default device definition for both TACACS+ and RADIUS.
Figure 2-5 shows the ACS 5.6 network device configuration.
Figure 2-5 ACS 5.6 Network Device Configuration
Figure 2-5 shows a device definition representing any client from subnets 10.10.20.0 and 10.10.30.0.
These clients can send TACACS+ or RADIUS requests as both are enabled in the device configuration.
26. 2-6
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-6 shows the default network device.
Figure 2-6 Default Network Device
The default network device replaces the default TACACS+ device, 0.0.0.0, in ACS 3.x and 4.x. It can
also act as a default device for RADIUS requests.
Migration Notes
• Consolidate double device definitions for TACACS+ and RADIUS in ACS 3.x and 4.x to a single
device in ACS 5.6.
• ACS 5.6 uses subnet masks for IP address definitions. Map the ACS 3.x and 4.x configurations using
IP ranges and wildcards to subnet mask ranges in ACS 5.6.
• The default network device is a useful tool to enable faster migration to ACS 5.6. It allows ACS 5.6
to start receiving AAA requests while more specific device definitions are being created.
External RADIUS Servers
The last configuration area under the Network Resources drawer is the External RADIUS Servers. This
option allows you to define the RADIUS servers to which ACS will proxy. Figure 2-7 shows an External
RADIUS server configuration in ACS 5.6.
27. 2-7
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-7 ACS 5.6 RADIUS Server Configuration
Migration Notes
• In ACS 5.6, there is no proxy distribution table to direct authentication requests to other AAA
servers.
• For RADIUS proxy, configure a RADIUS proxy access service.
Users and Identity Stores
The following components are configured under Users and Identity Stores:
• Identity Groups, page 2-7
• Internal Identity Stores, page 2-9
• External Identity Stores, page 2-10
• Certificate Authorities and Certificate Authentication Profiles, page 2-10
• Identity Store Sequences, page 2-11
Identity Groups
Key changes in ACS 5.6:
• The ACS 5.6 identity group does not contain access policy permissions, similar to the ACS 3.x and
4.x user group.
• Users need not be associated to an ACS group.
• External groups need not be mapped to an ACS group.
• The identity group provides hierarchical grouping. Figure 2-8 shows identity group hierarchies in
ACS 5.6.
28. 2-8
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-8 Identity Groups in ACS 5.6
In ACS 3.x and 4.x, ACS uses the ACS user group to apply network access policy to users. Every internal
and external user that is authenticated by ACS is mapped to only one ACS user group. In ACS 5.6,
network access policy is not applied through a group, but it is applied through access services.
Access services contain rules made up of conditions that govern the policy that will be applied to a user.
The user’s group membership is one of many attributes that can be used to compose these conditions. As
policy is not applied through a group, ACS 5.6 does not require the group association.
In ACS 3.x and 4.x, when external identity stores such as Active Directory or LDAP directories are used
for user authentication, and when the users’ directory group membership is relevant to their network
access, a group mapping is required to map users’ external group membership to an ACS group. This is
to apply the appropriate network access policy.
In ACS 5.6, external group memberships are attributes that can be used directly when you create the
network access policy. Hence, you do not have to use group mapping.
Migration Notes
• Consider if you really need identity groups in ACS 5.6—Identity groups are needed only to maintain
users within ACS.
• Take advantage of the hierarchical nature of identity groups.
• ACS 3.x and 4.x authorizations that are part of the user group are configured in the Policy Elements
and Access Services drawers.
• Instead of creating combination groups that represent users who belong to multiple groups, consider
specifying these different groups by extending the internal identity store schema.
Figure 2-9 shows an example of a user Fred in the IT group, who is also classified by location and
whether he can access switches, firewalls, and routers.
29. 2-9
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-9 Internal Identity Stores in ACS 5.6
Internal Identity Stores
Key changes in ACS 5.6:
• In addition to a user store, ACS 5.6 has a host store for host MAC addresses.
• Access policy permissions do not contain user records.
• User schema can be customized to add extra user fields.
• Custom user fields can store user-specific values that can be leveraged in access policies.
The ACS 5.6 user store is simple when compared to ACS 3.x and 4.x, because the policy components
have moved to policy elements and access services in ACS 5.6. The ACS 5.6 user store is similar to an
external store, because the schema can be customized to hold user-specific information such as first
name, last name, location, and email.
These fields can also become attributes that can be used in access policy. For example, it is possible to
use the user's location as a condition, or an IP address value as a RADIUS return value.
ACS 5.6 provides a separate hosts store to maintain a MAC address database for agentless host scenarios
(MAC authentication bypass). Similar to the user store, custom fields can be added to host records for
use in access policy.
Migration Notes
• Use identity store sequences in combination with access service identity policy to implement the
ACS 3.x/4x ability to select the password authentication method from the user record.
• User password policy is a set under System Administration > Users > Authentication Settings.
30. 2-10
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
External Identity Stores
Key changes in ACS 5.6:
• ACS 5.6 joins Active Directory (AD) directly and does not rely on a domain-joined Windows Server.
ACS Remote Agent is not required.
• ODBC databases are not supported in ACS 5.6, but other identity stores are supported, including
LDAP directories and one-time password servers.
• ACS 5.6 adds RADIUS Identity Store for RADIUS-based one-time passwords servers and for
RADIUS proxy where proxy response attributes are required for access policy.
• ACS 5.6 adds the ability for AD and LDAP user attributes to be used, in addition to user group
membership, in access policy.
• Identity store lists, provided by the unknown user policy in ACS 3.x and 4.x, are configured using
identity store sequences in ACS 5.6. There is no concept of a dynamic user in ACS 5.6.
The External Identity Store configuration is similar to the External User Databases in ACS 3.x and 4.x.
In ACS 5.6, external identity stores are configured and ACS communicates with them for authentication
and authorization.
For Active Directory, ACS 5.6 joins an AD domain, rather than leveraging the underlying Windows
operating system, similar to ACS 3.x and 4.x. ACS 5.6 relies on trust relationships between its domain
and other domains to perform cross-domain authentication, as in ACS 3.x and 4.x.
You must enter the username and password credentials in the ACS 5.6 configuration for ACS to join and
communicate with the AD domain. The credentials must have sufficient permissions to create a
computer object. If a user’s AD group membership and attribute information are required for access
policy, they must first be selected in the AD configuration.
LDAP directory configuration is similar to ACS 3.x and 4.x. Multiple LDAP directories can be defined
in ACS 5.6, similar to ACS 3.x and 4.x. The LDAP directory configuration allows you to select groups
and attributes for use in the access policy.
For one-time password authentication, ACS 5.6 supports the RSA SecurID native interface by
configuring RSA SecurID Token Servers. For non-RSA one-time password servers, RADIUS interaction
can be configured using the RADIUS Identity Server option.
Migration Notes
Go to System Administration > Configuration > Global System Options > RSA SecurID Prompts
to configure RSA SecurID prompts.
Certificate Authorities and Certificate Authentication Profiles
Key changes in ACS 5.6:
• Certificate Authentication Profiles allows you to customize the authentication for different
certificate profiles.
• Identity store authorization is optional for certificate-based authentication.
• Root CA certificates must be imported.
Trusted certificate authorities are defined under the certificate configuration options in Users and
Identity Stores. Here, the authentication characteristics of different certificate profiles are also specified.
31. 2-11
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Certificate authentication profiles are referenced in access service identity policy, and they allow you to
specify:
• The certificate field that should be used as the principal username.
• Whether a binary comparison of the certificate should be performed.
Migration Notes
• PEM- or DER-formatted X.509 certificates can be imported to create a list of trusted CAs.
• ACS 5.6 does not check whether the certificate owner exists in a directory, but you can check the
existence of a user attribute in an access service authorization policy.
Identity Store Sequences
Key changes in ACS 5.6:
• Provides the ability to specify different identity stores for authentication and authorization
• A list of identity stores can be configured for both authentication and authorization
In most of the deployments, a single identity store is used for user authentication and authorization.
There are many deployments where network access relies on more than one identity store.
The identity store sequence in ACS 5.6 addresses this requirement and can be referenced instead of an
identity store in an access service identity policy. The identity store sequence allows you to specify one
list of identity servers for authentication and the other for authorization.
For example, for one-time password users, where a user must be authenticated against a one-time
password server, but additional authorization information such as their group memberships, are only
available in a directory.
Migration Notes
Use identity store sequences to replace the functionality provided by the unknown user policy in ACS
3.x and 4.x.
Policy Elements
The primary components of access policy are identity and authorization policies. Both these policies are
represented in separate rule tables in the ACS 5.6 access service. Each rule in a rule table is composed
of conditions and results.
In the Policy Elements configuration area, you can create conditions and customize them. Authorization
results are created in this area.
The following components are configured under Policy Elements:
• Session Conditions, page 2-12
• Authorizations and Permissions, page 2-12
• Access Policies, page 2-12
32. 2-12
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Session Conditions
The key changes in ACS 5.6 are:
• Network conditions that were formerly known as Network Access Restrictions (NARs) are defined
in this configuration area.
• The attributes available to create access service rule conditions include:
– System dictionary attributes
– RADIUS and TACACS+ attributes
– Network Device Groups (NDGs)
– User attributes and group memberships
– Certificate attributes
• You can define the following additional conditions under session conditions:
– Date and Time condition allows you to define date and time ranges.
– Custom condition allows existing attributes to be renamed to simplify policy representation.
– Network condition allows you to define ACS 3.x and 4.x equivalent NARs.
Migration Notes
Access policy conditions configured in the ACS 3.x and 4.x user, user group, or shared profile
components, should be configured under session conditions.
Authorizations and Permissions
The key changes in ACS 5.6 are:
• All access policy authorization must be defined in this configuration area.
• The various types of network authorizations include:
– Device administration authorization using TACACS+ shell privileges and command sets.
– Network access authorization using RADIUS attributes.
– Downloadable ACLs, typically used for remote access authorization.
Migration Notes
Access policy authorizations that were formerly configured in the ACS 3.x and 4.x user, user group, or
shared profile components, should be configured under Authorizations and Permissions.
Access Policies
The key changes in ACS 5.6 are:
• Access policies are the core of network access policy in ACS 5.6.
• All network access policy for RADIUS and TACACS+ authentication and authorization requests is
configured here.
All authentication and authorization requests in ACS 5.6 must be processed by an access service. An
access service defines the authentication and authorization policy. ACS 5.6 supports multiple access
services for different network access scenarios.
33. 2-13
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Access services provide a way to logically separate different network access policies. For example, an
organization may implement one access service for device administration policy, and another access
service for remote VPN access.
Additional access services may also be configured to simplify the policy within any one access service.
For example, instead of configuring one access service to address all 802.1X network access, you can
use multiple access services to address policy for wired, wireless, machine, and host 802.1X access.
In addition to access services, you must also configure the service selection policy. The service selection
policy instructs ACS on how to direct authentication and authorization requests to the appropriate access
service.
For more information on the Access Policies, see the User Guide for Cisco Secure Access Control
System.
Migration Notes
• For device administration scenarios using TACACS+, you can update the preconfigured default
device admin access service.
– Modify the identity policy to use another identity store, such as one-time passwords, if the
default setting of internal users is not appropriate.
– Select an identity store sequence, as shown in Figure 2-10, if more than one identity store is
required to authenticate and authorize users.
For example, users may be authenticated to a one-time password server, but the ACS internal
user store may be required to retrieve user attributes for authorization. In some cases, ACS may
need to check both the ACS internal user store and active directory, to locate a user for
authentication.
Figure 2-10 Identity Store Sequence
• Utilize the new user and network device groupings to create authorization policy, as shown in
Figure 2-11.
34. 2-14
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-11 Authorization Policy
• For RADIUS-based device administration, create a separate access service, and differentiate these
authentication and authorization requests from network access services, in the service selection
policy. Figure 2-12 shows the service selection policy.
Figure 2-12 Service Selection Policy
• For simple network access scenarios, you can update the preconfigured network access service. For
more complex network access scenarios, introduce additional access services, as shown in
Figure 2-13.
Figure 2-13 Network Access Service Rules
• When creating an access service that addresses both certificate and password-based authentication.
For example, certificate-based machine authentication, and password-based user authentication, a
rules-based identity policy is required, as in Figure 2-14.
35. 2-15
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
Figure 2-14 Rules-Based Identity Policy in ACS 5.6
• Use external groups directly in authorization policy without first mapping external groups to an ACS
group.
Figure 2-15 Using External Groups Directly in Authorization Policy
• Convert the server specific configuration in ACS 3.x and 4.x, to server-based policy in ACS 5.
Figure 2-16 shows how to use the system condition, and ACS host name to direct requests to
different LDAP directories.
Figure 2-16 System Condition and ACS Host Name
System Administration
The key changes in ACS 5.6 are that ACS 5.6 provides the following configuration areas for system
administration tasks:
• Administrators, page 2-16
• Users, page 2-16
• Operations, page 2-16
36. 2-16
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 2 Understanding ACS 5.6 Configuration
ACS 5.6 Configuration
• Configuration, page 2-16
• Downloads, page 2-16
Administrators
The key changes in ACS 5.6 are that ACS administrators can be assigned up to ten predefined roles that
govern an administrator's permissions.
Users
The key changes in ACS 5.6 are:
• Enhanced password policy can be applied to ACS internal users. This includes:
– Increased password complexity rules
– Password history
• Password lifetime policy is based on age only.
Operations
The key changes in ACS 5.6 are:
• Ability to assign ACS server roles to the primary or secondary servers.
• Ability to perform local and global software updates.
Configuration
The key changes in ACS 5.6 are:
• This configuration area addresses authentication protocol settings, AAA dictionaries, internal user
schema changes, ACS certificate management, logging settings, and ACS license management. This
includes:
– Editable AAA protocol dictionaries
– Editable internal user/host schema
• Ability to assign an ACS server as a log collector for ACS View.
Downloads
The key changes in ACS 5.6 are:
• ACS 5.6 provides a migration tool to help migrate some parts of ACS 4.2 configuration.
• A web services interface to build a password-change application for ACS internal users.
The configuration area contains links to download the ACS 5.6 Migration Utility and web services files
to build a change-password application.
37. C H A P T E R
3-1
Migration Guide for Cisco Secure Access Control System 5.6
3
Configuration Migration Methods in ACS 5.6
This chapter describes ACS 4.x to 5.6 migration and contains:
• Migration Methods, page 3-1
• About the Migration Utility, page 3-3
• Migrating from ACS 4.x to 5.6, page 3-3
• Multiple-Instance Migration Support, page 3-5
• Migrating Data, page 3-7
Migration Methods
The ACS 5.6 configuration model differs from ACS 3.x and 4.x. You cannot directly migrate data and
configurations from ACS 3.x and 4.x to ACS 5.6. ACS 5.6 migration requires some manual
reconfiguration. ACS 5.6 provides the following tools for the migration process:
• Migration Utility, page 3-1
• CSV Import Tool, page 3-2
Migration Utility
The Migration Utility is a tool that runs on an ACS 4.x Windows machine. This tool helps you to import
the ACS 4.x backup files, analyze the data, and make the required modifications before importing the
data to ACS 5.6.
The Migration Utility supports the migration of the configurations that are shown in Table 3-1. You can
download the Migration Utility from the ACS 5.6 web interface under System Configuration >
Downloads.
The Migration Utility migrates data from an ACS 4.x Windows machine to an ACS 5.6 machine. This
process is different from the upgrade process for versions of ACS from 3.x to 4.x or for any 4.x upgrades.
In the upgrade process, the ACS 4.x system works in the same way, without the need for administrative
support. The migration process entails, in some cases, administrative support to consolidate and
manually resolve data before you import the data to ACS 5.6.
The Migration Utility in ACS 5.6 supports multiple-instance migration that migrates all ACS 4.x servers
in your deployment to ACS 5.6. To differentiate between several ACS 4.x instances, you can add a prefix.
The prefix is used to retain server-specific identification of data elements and prevent duplication of
object names for different servers.
38. 3-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migration Methods
Migrating an ACS 4.x deployment is a complex process and needs to be planned carefully. You need to
consider the ACS 4.x replication hierarchy before you perform the migration.
For example, if one ACS 4.x server has data replicated from another ACS 4.x server, there is no need to
migrate the same data set from both these ACS servers, since the data will be identical. Therefore, you
must carefully consider the order of migration of the ACS instances in the deployment.
CSV Import Tool
ACS 5.6 allows you to import some of the data objects from comma-separated value (CSV) text files, as
listed in Table 3-1. If you do not want to manually configure all the data objects in ACS 5.6 through the
web interface, you can create the configuration in CSV text files and import the configuration.
In many instances, ACS configuration data, such as device and user information is maintained externally
to ACS. You can export this data in a text format for importing into ACS 5.6.
For more information on the CSV Import Tools, see the Using the Scripting Interface chapter of the
Software Developer's Guide for Cisco Secure Access Control System 5.6.
Migration Recommendations
• For small ACS configurations, use a combination of manual configuration and CSV import. This is
in cases such as:
– Where users are not maintained in ACS
– Where network device wildcard is used
– Where user and network device information is available in CSV text format
• For other configurations, use the ACS 5.6 Migration Utility in addition to manual configuration and
CSV import.
Table 3-1 ACS 5.6 Migration Utility And Import Tool Options
ACS 5.6 Configuration Areas ACS 5.6 Migration Utility Support ACS 5.6 Import Tools
NDGs Yes Yes
Network Devices Yes Yes
RADIUS Proxy Servers No No
Internal Users/Hosts Yes Yes
Identity Groups Yes Yes
External Identity Stores No No
Policy Elements Shared command sets, RACs,
shared DACLs
Shared command sets, shared
DACLs
Access Policies No No
Monitoring and Reports No No
System Administration FAST master keys, VSAs No
39. 3-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
About the Migration Utility
About the Migration Utility
Use the Migration Utility to migrate the different types of data from ACS 4.x to ACS 5.6. In addition to
your ACS 4.x Windows source machine, you must deploy an ACS 4.x migration machine and an ACS
5.6 target machine.
The two phases of the migration process are:
• Analysis and Export
• Import
You run the Migration Utility on the ACS 4.x migration machine. The migration machine is a Windows
platform running ACS 4.x. You can run the analysis and export phases independently, several times, to
ensure that the data is appropriate for the import phase.
Data that passes the analysis phases can be exported and then imported to ACS 5.6. See the User Guide
for Cisco Secure Access Control System 5.6 for details on ACS 5.6 policies.
You cannot use the remote desktop to connect to the migration machine to run the Migration Utility. You
must run the Migration Utility on the migration machine or, use VNC to connect to the migration
machine. You must run the Migration Utility on a 32-bit version of Windows.
Note ACS 5.6 Migration Utility is not supported on a 64-bit version of Windows.
The Migration Utility supports a subset of the ACS 4.x data elements. For a complete list, see ACS
Elements that Migration Process Supports in Table 4-1 on page 4-3.
Migrating from ACS 4.x to 5.6
This section describes the approach that is used in migrating from ACS 4.x to ACS 5.6. This section
includes:
• Multiple-Instance Migration, page 3-3
• Migration Phases for ACS 5.6, page 3-4
• Data Model Organization, page 3-4
Multiple-Instance Migration
ACS 5.6 has one primary database that holds the data for all the ACS 4.x instances. Data from each ACS
4.x instance is migrated to this primary database. In ACS 4.x, selective data replication can be defined
such that different ACS instances maintain distinct subsets of the overall system configuration.
ACS 5.6 contains a consolidated database, which is replicated to all the ACS instances. The consolidated
database contains all the local configuration definitions from each of the ACS 4.x instances.
40. 3-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migrating from ACS 4.x to 5.6
Migration Phases for ACS 5.6
ACS 5.6 follows a two-phase migration approach:
• Analysis Phase, page 3-4
• Migration Phase, page 3-4
Analysis Phase
In this phase, an analysis of the existing ACS 4.x configuration is performed. It reports the possible
migration issues and recommends resolutions, if any. Before running the Migration Utility, you must
install ACS 4.x on the migration machine and restore the data.
You can run the analysis tool on the data restored from the backup of an ACS 4.x server. You can run the
analysis tool multiple times to make changes in the ACS 4.x configuration in the migration machine, if
necessary.
Note The analysis and export phases are implemented as a single phase in the migration process. The Analysis
reports include both the analysis and the export information.
Migration Phase
In this phase, the Migration Utility extracts the configuration data from an ACS 4.x server and prepares
the data to be migrated in a format that can be imported into an ACS 5.6 server. The migration tool
provides options to migrate data in one or more categories, such as:
• Inventory data migration (Users, Network Devices, MAC)
• Policy data migration (Network Device Groups, Identity Groups, Command Sets, RADIUS
Authorization Components (RACs), vendor-specific attributes (VSAs), and downloadable access
control lists (dACLs))
Data Model Organization
ACS 5.6 is a policy-based access control system. The term policy model in ACS 5.6 refers to the
presentation of policy elements, objects, and rules to the policy administrator. ACS 5.6 uses a rule-based
policy model instead of the group-based model that was used in previous versions.
The rule-based policy model provides more powerful and flexible access control than is possible with
the older group-based approach. For more information on the policy model, see the User Guide for Cisco
Secure Access Control System 5.6.
The following are the three major data model-related points in ACS 5.6:
• Model Organization, page 3-5
• Model Storage, page 3-5
• Replication Model, page 3-5
41. 3-5
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Multiple-Instance Migration Support
Model Organization
ACS 5.6 extends the Network Access Profile (NAP)-related functionality to a full policy-based
authentication, authorization, and accounting (AAA) solution for both RADIUS and TACACS+.
Specific policy and authentication information, such as sets of RADIUS attributes, are not maintained
within the user or group records, as in ACS 4.x. Instead, the entire set of retuned authentication data is
selected.
Model Storage
The migration process covers the ACS 4.x data that fulfills the following criteria:
• It can be translated to the ACS 5.6 model.
• It consists of data that is not generated during run-time operation; for example, dynamic-user.
Replication Model
In ACS 5.6, multiple database instances of ACS 4.x are combined and migrated into a single database.
In ACS 4.x, selective data replication can be defined such that different ACS instances maintain distinct
subsets of the overall system configuration.
ACS 5.6 contains a consolidated database that is replicated to all the ACS instances. This consolidated
database contains all the local configuration definitions from each of the ACS 4.x instances.
The ACS 5.6 data model is much more uniform than the ACS 4.x data model. The ACS 5.6 data model
contains a single master instance, where all configuration changes are made. All subtending secondary
instances maintain a full copy of the configuration and receive updates for all configuration changes.
Multiple-Instance Migration Support
To migrate multiple instances of ACS 4.x to ACS 5.6:
Step 1 Choose an ACS 4.x instance to be migrated.
The primary ACS 4.x instance (if exists in the deployment) should be migrated first. Back up the chosen
ACS 4.x instance.
Step 2 Restore the backed up ACS 4.x instance on the migration machine.
Step 3 Run the migration process.
Step 4 After you complete the migration process for one ACS 4.x instance, continue with another instance or
terminate the process.
If you restore any instance of ACS 4.x, it deletes the previous ACS 4.x instance data.
In the analysis and export phase, no changes are made with regard to multiple instance.
For example, the Migration Utility does not detect duplicate objects between different ACS 4.x
instances. Duplicate and discrepant data objects that exist on multiple ACS 4.x instances are detected
and reported in the migration import phase.
42. 3-6
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Multiple-Instance Migration Support
Figure 3-1 illustrates the multiple-instance migration process.
Figure 3-1 Multiple-Instance Migration Process
43. 3-7
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migrating Data
Migrating Data
The migration process exports data from a source ACS 4.x server and imports the corresponding data
entities to a target ACS 5.6 server. The export process does not run on the operational 4.x server. Instead,
you must back up the database from the ACS 4.x source server and restore the data to an additional ACS
4.x migration machine, where you run the Migration Utility.
Note You must perform a full database backup on the ACS 4.x source machine before you start the migration
process. Restore the backed-up data to an additional ACS 4.x migration machine and fix issues before
you import the data to the ACS 5.6 machine.
The ACS 4.x database password should be less than 37 characters.
To migrate data:
Step 1 Run Analyze and Export on the ACS 4.x data and review the AnalyzeAndExport Summary report and
the Analyze and Export full report.
See Analysis and Export of ACS 4.x Data, page 6-36. In this phase, you:
• Identify issues for data that cannot be migrated and review manual migration considerations. See
Resolving Migration Issues, page D-3.
• Identify issues to fix prior to migration.
• Identify the data to consolidate. See “Consolidating Data” section on page 6-37 for more
information.
Only data that passes the Analyze and Export phase can be exported and later imported to ACS 5.6.
Step 2 Back up the ACS 5.6 target machine database.
Step 3 Import the ACS 4.x data to ACS 5.6 and review the Import Summary Report.
See Importing the ACS 4.x Data to ACS 5.6, page 6-37.
44. 3-8
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migrating Data
Figure 3-2 illustrates the migration process.
Figure 3-2 Migration Process
Object Group Selection
You can choose to perform a full or partial migration. For partial migration, you have to choose the object
groups to be migrated.
The object groups are defined according to dependencies between the objects. You can migrate either a
group of the object types supported by the application or all supported object types. You can select from
the following groups of objects:
• All Objects—All ACS objects that are supported in the migration process.
• All User Objects—Identity groups and all objects extracted from users
• All Device Objects—Network devices and NDGs
• Shared command sets
• Shared downloadable access control lists (DACLs)
45. 3-9
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migrating Data
• Master Keys—Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling
(EAP-FAST) master keys
• Shared RADIUS Authorization Components (RACs) and vendor-specific attributes (VSAs)
Analysis and Export
You must analyze the existing configuration of ACS 4.x and identify the possible migration issues or
problems that could affect your ability to perform a successful data migration.
In this phase, you identify:
• Issues for data that cannot be migrated. You are also provided opportunities to rectify this data prior
to the migration.
• Issues to fix before migration.
• The data to consolidate. See “Consolidating Data” section on page 6-37 for more information.
Note Only data that passes the analysis phase can be exported and later imported to ACS 5.6.
The export process exports the selected set of objects from the ACS 4.x data to an external data file that
is processed during the import process.
The export process reports the following issues:
• Data that was not exported, and the reason.
• Data that was exported, and the statistics.
Import
The data export file from ACS 4.x is imported into ACS 5.6.
You can run the Import on a full database. We recommend that you manually back up the ACS 5.6
database. The backup version of the database can be used to restore the system, if any unexpected errors
occur during the data import process.
Multiple-Instance Support
For multiple-instance migration, every instance is restored on the same migration machine, and the
results from all the instances are maintained. For more information on the specific changes for each data
type, related to multiple-instance support, see Migration of ACS 4.x Objects, page 6-9.
The multiple-instance support in ACS 5.6 has the following key features:
• Duplicate Object Reporting, page 3-10
• Object Name Prefix Per Instance, page 3-10
• Shared Object Handling, page 3-10
46. 3-10
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 3 Configuration Migration Methods in ACS 5.6
Migrating Data
Duplicate Object Reporting
Duplicate data objects on multiple ACS 4.x instances are detected in the import phase. For most of the
objects types, you can identify duplicates by name. Additionally, in the import report, information about
duplicate objects is mentioned, see “Migration of ACS 4.x Objects” section on page 6-9
Object Name Prefix Per Instance
You can define a different name prefix to each ACS 4.x instance. The prefix is used to retain
server-specific identification of data elements and prevent duplication of names of objects for different
servers. You can change the name prefix at the beginning of each run of the Migration Utility (per ACS
4.x instance).
You can have an instance-specific prefix and thus import all the data regardless of duplication between
ACS 4.x instances. You can configure a global name prefix or per-object-type name prefix. This enables
you to preserve associations between shared objects. For more information, see “Migration of ACS 4.x
Objects” section on page 6-9.
Shared Object Handling
Shared objects between the ACS 4.x instances—such as NDGs, user attribute definitions, and user
groups—are migrated only once. However, because of the association support for multiple instances,
object associations are created according to the status of ACS 5.6 data. For more information, see
“Migration of ACS 4.x Objects” section on page 6-9.
For example, if user A is associated to group BB and neither the user nor the group were migrated, both
objects are created and then associated in ACS 5.6.
47. C H A P T E R
4-1
Migration Guide for Cisco Secure Access Control System 5.6
4
ACS 5.6 Migration Utility Support
This chapter describes:
• ACS 4.x to 5.6 Migration Version Support, page 4-1
• ACS 4.0 Migration Support, page 4-1
• ACS 4.x Appliance Support, page 4-2
• CSACS-1120 Series Appliance Support, page 4-2
• Remote Desktop Support, page 4-2
• Multiple-Instance Support, page 4-2
• ACS 4.x Elements Supported in the Migration Process, page 4-3
• ACS 4.x Elements Not Supported in the Migration Process, page 4-4
• User Interface, page 4-5
ACS 4.x to 5.6 Migration Version Support
You can migrate the following ACS 4.x versions:
• ACS 4.1.1.24
• ACS 4.1.4
• ACS 4.2.0.124
• ACS 4.2.1
ACS 4.0 Migration Support
You must upgrade from ACS for Windows Server 4.0 to ACS for Windows Server 4.1.1.24 to migrate
your data to ACS 5.6. seethe Installation Guide for Cisco Secure ACS for Windows 4.1 for more
information.
48. 4-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 4 ACS 5.6 Migration Utility Support
ACS 4.x Appliance Support
ACS 4.x Appliance Support
You can migrate data from ACS 4.x only on Windows software. If you have an ACS 4.x appliance, you
must back up the ACS 4.x configuration and restore and upgrade it to ACS for Windows Server 4.1.1.24.
• If the appliance version is ACS 4.1.1.24, you must install the corresponding ACS 4.x version on the
Windows server and then restore the data from the appliance.
• If you are using ACS version 4.1.1.24 or above, you do not have to upgrade. seethe Installation
Guide for Cisco Secure ACS for Windows 4.1 for more information.
CSACS-1120 Series Appliance Support
The CSACS-1120 appliance can be used to install either ACS 4.2 or ACS 5.0. You cannot run ACS 5.6
on CSACS-1120. If you currently have ACS 4.2 installed on a CSACS-1120 appliance, and you want to
migrate to ACS 5.6, you must first back up the ACS 4.2 data before proceeding to the ACS 5.6
installation.
To migrate data from ACS 4.2 on CSACS-1120 to ACS 5.6 on a SNS-3415 or SNS-3495 series
appliance:
Step 1 Back up ACS 4.2 data on CSACS-1120 appliance.
Step 2 Restore the ACS 4.2 data on an intermediate migration machine.
Step 3 Install ACS 5.6 on the SNS-3415 or SNS-3495 appliance.
Step 4 Migrate ACS 4.2 objects from the intermediate migration machine to ACS 5.6 that is installed on the
SNS-3415 or SNS-3495 appliance.
Remote Desktop Support
The Migration Utility does not support Remote Desktop Connection. You must run the Migration Utility
on the migration machine or use VNC to connect to the migration machine.
Multiple-Instance Support
In ACS 5.6, multiple distinct database instances (4.x) are combined into a single consolidated database.
In ACS 4.x, selective data replication can be defined so that different ACS instances maintain distinct
subsets of the overall system configuration, while in ACS 5.6, a single consolidated database is
replicated to all ACS instances in the deployment.
As a result, the primary database contains all the local configuration definitions from each of the ACS
4.x instances.
49. 4-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 4 ACS 5.6 Migration Utility Support
ACS 4.x Elements Supported in the Migration Process
ACS 4.x Elements Supported in the Migration Process
Table 4-1 shows the ACS 4.x elements that the Migration Utility supports and the corresponding ACS
5.6 element.5.6
Note You migrate command sets from shared objects or from within the user or group definitions. Shell
profiles are created from the shell exec parameters within group definitions. However, shell exec
parameters stored in user records are migrated as identity attributes associated with the individual user.
Table 4-1 ACS Elements that Migration Process Supports
ACS 4.x Element ACS 5.6 Element
AAA Client/Network Device Network Device. See AAA Client/Network Device,
page 6-10 for more information.
Internal User Internal User. See Internal User, page 6-16 for more
information.
User Defined Fields (within Interface
Configuration section)
Identity Attributes/Internal User. See User Group,
page 6-23 for more information.
User Group Identity Group. See User Group, page 6-23 for more
information.
Shared Shell Command Authorization Sets Command Set. See Shared Shell Command
Authorization Sets, page 6-28 for more information.
User T+ Shell Exec Attributes Identity Attributes/Internal User. See User Group,
page 6-23 for more information.
Group T+ Shell Exec Attributes Shell Profile. See User Group Policy Components,
page 6-24 for more information.
User T+ Command Authorization Sets Command Set. See User Group, page 6-23 for more
information.
MAC Authentication Bypass (MAB)
Addressed
Internal Host Database. See MAC Addresses and
Internal Hosts, page 6-27 for more information.
Shared Downloadable Access Control List
(DACL)
Downloadable ACL. See Shared DACL Objects,
page 6-29 for more information.
EAP-FAST Master keys EAP-FAST Master keys. See EAP-Fast Master Keys and
the Authority ID, page 6-34 for more information.
Shared RADIUS Authorization
Components
Authorization Profiles. See Shared RACs, page A-5 for
more information.
Customer Vendor-Specific Attributes Customer VSAs. See Customer VSAs, page A-5 for
more information.
Max User Sessions Maximum User Sessions. See Max User Sessions,
page A-5 for more information.
50. 4-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 4 ACS 5.6 Migration Utility Support
ACS 4.x Elements Not Supported in the Migration Process
ACS 4.x Elements Not Supported in the Migration Process
The Migration Utility does not support:
• Group DACLs
• Group RADIUS Attributes
• Active Directory (AD) Configuration
• AD Group Mapping
• Admin Accounts
• Admin Users
• Authority Certificates
• Certificate Trust List (CTL)
• Certificate Revocation List (CRL)
• Date and Time
• External Database Configuration
• Generic Lightweight Directory Access Protocol (LDAP) Configuration
• Group Shell Custom Attributes
• Group Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command
Authorization Sets
• Group Network Access Restrictions (NARs)
• Internal ID Password Enforcement—Sarbanes-Oxley (SOX)
• LDAP Group Mapping
• Logging Configuration
• Machine Access Restrictions (MARs)
• Network Access Profiles (NAPs)
• Protocol Settings (system and global authentication)
• Proxy RADIUS and T+ (migrates only external access control server credentials)
• TACACS+ Dictionary
• RADIUS One-Time Password (OTP)
• RSA OTP
• Shared NARs
• Server Certificate
• Shared Network Access Filtering (NAF)
• Shared PIX and ASA Command Authorization Sets
• Time-of-Day Access Settings
• User PIX/ASA Shell Command Authorization
• User DACLs
• User NARs
• User RADIUS Attributes
51. 4-5
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 4 ACS 5.6 Migration Utility Support
User Interface
• IP Pools
• Dial-In Support
See the User Guide for Cisco Secure Access Control Server 4.2 for descriptions of the attributes that do
not migrate.
User Interface
This section describes the end user interface for the ACS 5.6 Migration Utility.
CLI-Based Migration Utility
ACS 5.6 supports a CLI-based Migration Utility. For more information on the migration settings, see
Running the Migration Utility, page 6-2.
Phases of the CLI-Based Migration Utility
The CLI-based Migration Utility consists of the following parts:
• Settings, page 4-5
• Object Group Selection, page 4-5
• Operation Selection, page 4-6
Settings
The Migration Utility uses operator-configured settings that can be saved persistently. Every invocation
of the Migration Utility prompts you to use the previously defined values or select new ones. For more
information on the migration settings, see “Running the Migration Utility” section on page 6-2.
The settings are of two types:
• ACS 5.6 Identification and Credentials—IP address or hostname of the ACS 5.6 server to which the
data is being migrated. The administrator username and password that are used to import data in the
ACS 5.6 server are also specified.
We recommend that you define a unique administrator for the migration operations to make it easy
to identify them while browsing the configuration records. While running the Migration Utility, only
the default superadmin account acsadmin or the recovery superadmin should be used for ACS 5.6,
while running the Migration Utility.
• Configuration Options—Associated with the migration of certain object types. After you configure
the settings, you are prompted to acknowledge whether to save them as the defaults for use during
subsequent invocations of the utility.
Object Group Selection
You can migrate either a group of the object types that are supported by the Migration Utility or all
supported object types. For more information on the details of the various phases in the migration
procedure and the impact and considerations for each object type, see“Migration of ACS 4.x Objects”
section on page 6-9.
For a detailed procedure on selecting the available options, see“Running the Migration Utility” section
on page 6-2.
52. 4-6
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 4 ACS 5.6 Migration Utility Support
User Interface
The following groups of objects are available for selection:
• All Objects—All ACS objects
• All User Objects—Identity groups and all objects that are extracted from users
• All Device Objects—Network devices and NDGs
• Shared command sets
• Shared DACLs
• Master Keys—EAP-FAST master keys
• Shared RACs and VSAs
Operation Selection
After you select a set of object types, you must select the migration phase to be performed. The following
options are available:
• Analyze and Export
• Import
After you select an option, the corresponding process runs, and the relevant reports are displayed on the
screen. For each operation, two type of reports are displayed:
• Summary
• Detailed
For more information on the reports that are generated during different phases of the migration, see
“Printing Reports and Report Types” section on page 6-40.
53. C H A P T E R
5-1
Migration Guide for Cisco Secure Access Control System 5.6
5
Migration Utility Setup and Installation
This chapter describes migration considerations for each machine in the migration process and contains:
• Migration Preinstallation Considerations, page 5-1
• System Requirements, page 5-2
• ACS Software Accessory Kit DVDs, page 5-3
• Security Considerations, page 5-4
• Accessing the Migration Utility, page 5-4
• Data Migration and Deployment Scenarios, page 5-5
• Data Migration Between Platforms, page 5-6
Migration Preinstallation Considerations
Before you begin, ensure that you configure your environment for migration. In addition to your ACS
4.x Windows source machine, you must deploy an ACS 4.x migration machine and an ACS 5.6 target
machine. Keep in mind the following considerations:
• Ensure that the ACS 4.x database does not have any database corruption issues.
• Ensure that you configure the ACS 4.x migration machine for a single IP address. Migration fails on
a migration machine with multiple IP address aliases per interface.
• Perform a full database backup on the ACS 4.x Windows source machine. Use this machine to
maintain your ACS 4.x data. Restore the backed-up data to an additional ACS 4.x migration
machine, and fix issues before importing the data to the ACS 5.6 machine.
For database backup instructions, see the Installation Guide for Cisco Secure ACS for Windows 4.1.
• The migration machine should have the same 4.x version as the source machine. You should back
up the ACS 4.x version you wish to migrate on the 4.x Windows source machine and restore the
same 4.x version on the migration machine. The restore fails if the migration machine does not have
the same 4.x version as the source machine.
See the Installation Guide for Cisco Secure ACS for Windows 4.1.
• Restore data from the ACS 4.x Windows source machine to the migration machine. The migration
machine is a Windows platform running ACS 4.x. Use this machine solely for the purpose of
migration. The migration machine cannot be an appliance machine.
54. 5-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 5 Migration Utility Setup and Installation
System Requirements
Note Use the migration machine when you make any changes to the ACS 4.x data.
• Perform a full database backup on the ACS 5.6 target machine. Use this machine to process the
imported data. For database backup instructions, see the Command Line Interface Reference Guide
for Cisco Secure Access Control System 5.6.
• Ensure that you:
– Install ACS 5.6 on the target machine.
– Use a compatible ACS 5.6 license.
– Establish network connection between the migration machine and ACS 5.6 server.
• Back up your ACS 5.6 database before you run the Import phase.
• Enable the migration interface on the ACS 5.6 server. For more information on how to enable the
migration interface and run the Migration Utility, see Chapter 6, “Using the Migration Utility to
Migrate Data from ACS 4.x to ACS 5.6”.
System Requirements
Your ACS machines must meet the system requirements described in Table 5-1. All documents are
available on Cisco.com.
Table 5-1 System Requirements for Migration Machines
Platform Requirements
ACS 4.x source machine See the Installation Guide for Cisco Secure ACS for Windows 4.1.
ACS 4.x migration machine See the Installation Guide for Cisco Secure ACS for Windows 4.1.
The machine must have 2 GB of RAM.
Ensure that you configure the ACS 4.x migration machine for a
single IP address. Migration fails on a migration machine with
multiple IP address aliases per interface.
ACS 5.6 target machine See the following:
• Installation and Setup Guide for ACS 5.6
• Cisco Application Deployment Engine (ADE) 1010 and 2120
Series Appliance Hardware Installation Guide.
• Cisco Application Deployment Engine (ADE) 2130 and 2140
Series Appliance Hardware Installation Guide.
55. 5-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 5 Migration Utility Setup and Installation
ACS Software Accessory Kit DVDs
ACS Software Accessory Kit DVDs
Table 5-2 describes the ACS software accessory kit DVDs.
Table 5-2 ACS Software Accessory Kit DVD
DVDs Description Part Number
Cisco Secure Access Control
System-Installation and
Recovery DVD, Version 5.6
Use this DVD to:
• Install the ACS 5.6_ISO image.
• Install the Application Upgrade Bundle.
• Install VMware.
• Recover the ACS 5.6 appliance.
• Reset the password.
80-10547-05
Cisco Secure Access Control
System-Upgrade and
Migration_Documentation
DVD, Version 5.6
Use this DVD to:
• ACS 5.4 Upgrade Package (upgrade from 5.3 to
5.4).
• ACS 5.5 Upgrade Package (upgrade from 5.4 to
5.5)
• ACS 5.6 Upgrade Package (upgrade from 5.4 or 5.5
to 5.6)
• Install the Migration Utility, if you are running one
of the following ACS versions:
– 4.1.1.24
– 4.1.4.13
– 4.2.0.124
• Upgrade the server to ACS 4.2.0.124 before
migration.
• Documentation:
– ACS_5.6_5x5_Pointer_Card_ChinaRoHS.pdf
– ACS_5.6_CLI_Reference_Guide.pdf
– ACS_5.6_Installation_and_Upgrade_Guide.pdf
– ACS_5.6_Migration_Guide.pdf
– ACS_5.6_Regulatory_Compliance_and_Safety_
Information.pdf
– ACS_5.6_Release_Notes.pdf
– ACS_5.6_SDT_Guide.pdf
– ACS_5.6_Software_Developer’s_Guide.pdf
– ACS_5.6_User_Guide.pdf
80-10548-05
56. 5-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 5 Migration Utility Setup and Installation
Security Considerations
Migration from ACS 4.x to ACS 5.x is supported only from the software version of ACS 4.x.
To migrate from the ACS 4.x appliance version, complete the following steps:
Step 1 Make a backup from any supported version of the ACS 4.x appliance.
Step 2 Restore the appliance backup on the same supported version of the ACS 4.x software.
Step 3 Now run the Migration Utility.
Security Considerations
The export phase of the migration process creates a data file that is used as the input for the import
process. The content of the data file is encrypted and cannot be read directly.
You need an ACS administrator username and password to import data into ACS 5.6. You should use a
reserved username, so that records created by the import utility can be identified in the audit log.
Accessing the Migration Utility
To access the Migration Utility, download it from the ACS 5.6 web interface.
To download migration application files:
Step 1 Choose System Administration > Downloads > Migration Utility.
The Migration from 4.x page appears.
Step 2 Click Migration application files to download migration.zip, which contains the application files you
use to run the Migration Utility.
You may also use the Cisco Secure Access Control System-Installation and Recovery DVD, Version 5.6,
available in the migration software accessory kit, to download the migration.zip file.
Related Topics
• ACS Software Accessory Kit DVDs, page 5-3
• Chapter 6, “Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6”
Migration Utility Packaging
The zip file migration.zip contains the Migration Utility files. Extract this file to a migration directory.
This document uses the migration directory structure shown in Figure 5-1.
57. 5-5
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 5 Migration Utility Setup and Installation
Data Migration and Deployment Scenarios
Figure 5-1 Migration Utility Directory Structure
Related Topics
• ACS Software Accessory Kit DVDs, page 5-3
• Accessing the Migration Utility, page 5-4
• Chapter 6, “Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6”
Data Migration and Deployment Scenarios
The Migration Utility migrates ACS 4.x objects to ACS 5.6. The process of data migration in a single
ACS appliance differs from that of ACS appliances in a distributed environment. This section contains:
• Guidelines for Data Migration in a Single ACS Server, page 5-5
• Guidelines for Data Migration in a Distributed Environment, page 5-5
Guidelines for Data Migration in a Single ACS Server
If you have a single ACS appliance in your environment (or several ACS appliances, but not in a
distributed setup), run the Migration Utility against the ACS appliance as described in this guide.
For instructions to verify that migration is complete, see Validating Import, page 6-45.
Guidelines for Data Migration in a Distributed Environment
If you run ACS in a distributed environment (for example, if you have one primary ACS appliance and
one or more secondary ACS appliances that interoperate with the primary ACS), you must:
Step 1 Back up the primary ACS appliance and restore it on the migration machine.
Step 2 Run the Migration Utility against the primary ACS appliance.
58. 5-6
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 5 Migration Utility Setup and Installation
Data Migration Between Platforms
If you have large internal database, we recommend that you run the migration from an ACS 4.x to an
ACS 5.6 standalone primary server, and not to a primary server that is connected to several secondary
appliances. After the completion of the migration process, you can register all the secondaries.
The Migration Utility runs for approximately 15 hours to migrate 300,000 users, 50,000 devices, and
50,000 MAB. When you restart ACS 5.6, the startup process takes about 15 minutes before ACS 5.6 is
available for use. The behavior of ACS 5.6 for data migration beyond 400,000 users and 200,000 devices
is unknown.
Data Migration Between Platforms
Figure 5-2 shows the data migration flow between platforms. See Chapter 6, “Using the Migration
Utility to Migrate Data from ACS 4.x to ACS 5.6.”
Figure 5-2 Migration Flow Between Platforms
59. C H A P T E R
6-1
Migration Guide for Cisco Secure Access Control System 5.6
6
Using the Migration Utility to Migrate Data from
ACS 4.x to ACS 5.6
This chapter describes how to migrate data from ACS 4.x to ACS 5.6 and contains:
• Introduction, page 6-1
• Running the Migration Utility, page 6-2
• Migration Script Sections, page 6-5
• Migration of ACS 4.x Objects, page 6-9
• Analysis and Export of ACS 4.x Data, page 6-36
• Importing the ACS 4.x Data to ACS 5.6, page 6-37
• Migrating Multiple Instances, page 6-40
• Migration Impact on Memory and Performance, page 6-40
• Printing Reports and Report Types, page 6-40
• Errors and Exception Handling, page 6-47
• Confirming the Migration, page 6-47
Introduction
This chapter contains information to migrate data from ACS 4.x to ACS 5.6. Before you begin, you must
follow the setup, backup, and installation instructions in Chapter 5, “Migration Utility Setup and
Installation.”
Before you begin migration, ensure that you have enabled the migration interface on the ACS 5.6 server.
From the command line interface, enter:
acs config-web-interface migration enable
To verify that the migration interface is enabled on the ACS 5.6 server, from the command line interface,
enter:
show acs-config-web-interface
See the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.6 for more
information.
60. 6-2
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 6 Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6
Running the Migration Utility
Running the Migration Utility
To run the Migration Utility:
Step 1 Open a command prompt and change directory to C:Migration Utilitymigrationbin.
You can specify any directory in which to install the Migration Utility. This example uses the Migration
Utility as the root directory.
Step 2 At the command prompt, type migration.bat.
Example 6-1 shows the prompts that appear when you run the Migration Utility.
Example 6-1 Migration Script (User Input)
Copyright (c) 2008-2009 Cisco Systems, Inc.
All rights reserved.
---------------------------------------------------------------------------------------
This utility migrates data from ACS 4.x to ACS 5. You can migrate directly from the
following ACS versions:
- ACS 4.1.1.24
- ACS 4.1.4
- ACS 4.2.0.124
- ACS 4.2.1
Data migration involves the following:
a. The migration utility analyzes the ACS 4.x data, exports any data from ACS 4.x that can
be migrated automatically, and imports the data into ACS 5.
b. Before the import stage, you can manually consolidate and resolve data according to the
analysis report, to maximize the amount of data that the utility can migrate.
c. After migration, use the imported data to recreate your policies in ACS 5.
---------------------------------------------------------------------------------------
Make sure that the database is running.
Enter ACS 5 IP address or hostname:[nn.nn.nnn.nnn]
Enter ACS 5 administrator username:[test]
Enter ACS 5 password:
Change user preferences?[no]
yes
User Groups
--------------------------------------------------------------------------------
Existing user groups will be migrated to the Identity Group.
Enter new Root name:[Migrated Group]
Network Device Groups
--------------------------------------------------------------------------------
Existing network device groups will be migrated to the Network Device Group.
Enter new Root name:[Migrated NDGs]
Consolidation Prefix
--------------------------------------------------------------------------------
Identical objects found will be consolidated into one object.
Enter a prefix to add to the consolidated object:[cons]
Users
--------------------------------------------------------------------------------
61. 6-3
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 6 Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6
Running the Migration Utility
ACS 5 supports authentication for internal users against the internal database only.
ACS 4.x users who were configured to use an external database for authentication will be
migrated with a default authentication password.
Specify a default password.
Disabled Group Users
--------------------------------------------------------------------------------
ACS 4.x users and hosts that are associated with disabled groups will be migrated as
disabled:[yes]
Configure these users as disabled in ACS 5, or ask for a change of password on a user’s
first attempt to access ACS 5.
Select the option:
1 - DisableExternalUser
2 - SetPasswordChange
Selected option:[2]
2
Network Devices
--------------------------------------------------------------------------------
TACACS+ and RADIUS network devices with same IP address will be unified.
Select a name to be used for unified devices.
1 - RADIUSName
2 - TACACSName
3 - CombinedName
Selected option:[3]
DACL name construction
--------------------------------------------------------------------------------
Existing downloadable ACL will be migrated.
Select a name to be used for the migrated DACL
1 - DaclName_AclName
2 - AclName
Selected option:[1]
Save user defaults? [yes]
yes
Enter ACS 4.x Server ID:
acs1
Add server-specific migration prefixes?[no]
yes
You can add a global prefix to all migrated objects from this server.
Enter a global prefix:[]
s1
Use special prefixes for specific object types?[no]
yes
** To input an empty prefix, enter the keyword EMPTY.
User Attributes Prefix: You can add an additional prefix to the user attributes.
Enter a prefix to add to these objects:[s1]
Network Device Prefix: You can add an additional prefix to the network devices names.
Enter a prefix to add to these objects:[s1]
Users Command Set Prefix: Extracted command sets are migrated to a shared named object
with an optional prefix.
Enter a prefix to add to these objects:[s1]
62. 6-4
Migration Guide for Cisco Secure Access Control System 5.6
Chapter 6 Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.6
Running the Migration Utility
Groups Command Set Prefix: Extracted command sets will be given the group name with an
optional prefix.
Enter a prefix to add to these objects:[s1]
Groups Shell Exec Prefix: Extracted shell profile will be given the group name with an
optional prefix.
Enter a prefix to add to these objects:[s1]
Shared Command Sets Prefix: Extracted command sets are migrated to a shared named object
with an optional prefix.
Enter a prefix to add to these objects:[s1]
Shared Downloadable ACL Prefix: Extracted Downloadable ACL will be given a name with an
optional prefix.
Enter the prefix to add to such objects:[s1]
RAC Prefix: Existing RAC will be migrated with an optional prefix.
Enter the prefix to add to such objects:[s1]
User Groups Root Prefix: You can add a prefix to the user groups root.
Enter a prefix to add to the user groups root:[s1
Network Device Groups Root Prefix: You can add a prefix to the network device groups root.
Enter a prefix to add to the network device groups root:[s1]
Save server migration prefixes?[yes]
yes
Show full report on screen?[yes]
yes
--------------------------------------------------------------------------------
Select the ACS 4.x Configuration groups to be migrated:[1]
1 - ALLObjects
2 - AllUsersObjects
3 - AllDevicesObjects
4 - SharedCommandSet
5 - SharedDACLObject
6 - MasterKeys
7 - SharedRACObjectWithVSA
--------------------------------------------------------------------------------
6
--------------------------------------------------------------------------------
The following object types will be extracted:
--------------------------------------------------------------------------------
EAP FAST - Master Keys
--------------------------------------------------------------------------------
Choose one of the following:
1 - AnalyzeAndExport
2 - Import
3 - CreateReportFiles
4 - Exit
--------------------------------------------------------------------------------
4
--------------------------------------------------------------------------------